Edit tour

Windows Analysis Report
davies.exe

Overview

General Information

Sample name:	davies.exe
Analysis ID:	1587454
MD5:	7d101b7e062d99e8b7914e7d43dfc23b
SHA1:	a5fa9dc8d98c6e9f9de23cbf6456d6a70b384fdd
SHA256:	5169bb87481b683a2f1043ff15708455d3d889b5c1d95ab107d2ef8fb9e20aee
Tags:	exeLummaStealeruser-zhuzhu0009
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

Tries to resolve many domain names, but no domain seems valid

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

davies.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\davies.exe" MD5: 7D101B7E062D99E8B7914E7D43DFC23B)

WerFault.exe (PID: 7912 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 892 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["wrathful-jammy.cyou", "debonairnukk.xyz", "awake-weaves.cyou", "sordid-snaked.cyou", "deafeninggeh.biz", "diffuculttan.xyz", "spellshagey.biz", "effecterectz.xyz", "immureprech.biz"], "Build id": "HpOoIh--@dxrkl0rd"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1589369716.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x13f0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:54.435111+0100	2028371	3	Unknown Traffic	192.168.2.9	49754	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:53.761664+0100	2058210	1	Domain Observed Used for C2 Detected	192.168.2.9	54451	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:53.597043+0100	2058214	1	Domain Observed Used for C2 Detected	192.168.2.9	56573	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:53.739258+0100	2058216	1	Domain Observed Used for C2 Detected	192.168.2.9	53866	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:53.726870+0100	2058218	1	Domain Observed Used for C2 Detected	192.168.2.9	65206	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:53.663506+0100	2058220	1	Domain Observed Used for C2 Detected	192.168.2.9	50035	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:53.584727+0100	2058222	1	Domain Observed Used for C2 Detected	192.168.2.9	49473	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:53.772233+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.9	51310	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:53.569584+0100	2058285	1	Domain Observed Used for C2 Detected	192.168.2.9	49653	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:53.750988+0100	2058236	1	Domain Observed Used for C2 Detected	192.168.2.9	56652	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T12:01:54.903469+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.9	49754	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: davies.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://effecterectz.xyz/;E	Avira URL Cloud: Label: malware
Source: https://deafeninggeh.biz/~	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/R	Avira URL Cloud: Label: malware
Source: spellshagey.biz	Avira URL Cloud: Label: malware
Source: https://deafeninggeh.biz/ikE	Avira URL Cloud: Label: malware
Source: https://effecterectz.xyz/CE	Avira URL Cloud: Label: malware
Source: https://effecterectz.xyz/apiCD	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.davies.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["wrathful-jammy.cyou", "debonairnukk.xyz", "awake-weaves.cyou", "sordid-snaked.cyou", "deafeninggeh.biz", "diffuculttan.xyz", "spellshagey.biz", "effecterectz.xyz", "immureprech.biz"], "Build id": "HpOoIh--@dxrkl0rd"}

Multi AV Scanner detection for submitted file

Source: davies.exe	Virustotal: Detection: 79%			Perma Link
Source: davies.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: davies.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: spellshagey.biz
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--@dxrkl0rd

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\davies.exe

Unpacked PE file: 0.2.davies.exe.400000.0.unpack

Source: davies.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\davies.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49754 version: TLS 1.2

Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B1025CF1h	0_2_0043BC5A
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+38F6967Eh]	0_2_0040BCF7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ecx-00000258h]	0_2_00409E40
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042C856
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then jmp eax	0_2_0042786E
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000010D0h]	0_2_004248C0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 67F3D776h	0_2_004378D0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1AA2111Dh]	0_2_0043E8E0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004228F0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	0_2_00438089
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-1F0C3802h]	0_2_0041A0A0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov esi, edx	0_2_00429940
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then jmp eax	0_2_00429940
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042B160
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, ecx	0_2_0042D180
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, ecx	0_2_0042D257
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, ecx	0_2_0042D266
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edi]	0_2_00408200
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, ecx	0_2_0042D214
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_0042BA28
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042BA28
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	0_2_0041EAC0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-48h]	0_2_00424B57
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+4D4614C0h]	0_2_0041BB20
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ebx, ecx	0_2_0042332F
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ecx, edx	0_2_0040ABC0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042CBC2
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042BBE5
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	0_2_00402BB0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042BBBB
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ecx, eax	0_2_00422C50
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00422C50
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	0_2_0041646C
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then jmp eax	0_2_0043B46E
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, eax	0_2_0042BC19
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042BC19
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+20h]	0_2_00427C84
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then jmp eax	0_2_0043B497
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0042ACB0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00414540
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [edx]	0_2_0041654C
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407570
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407570
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ecx, eax	0_2_00415513
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	0_2_00416DF8
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93AD00A8h	0_2_00416DF8
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [esi]	0_2_00415D8A
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_004345A0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [ecx], ax	0_2_0043B649
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_0043DE70
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_00423E10
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov dword ptr [esp+4Ch], C12EDF34h	0_2_00423E10
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then push esi	0_2_00429611
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov esi, edx	0_2_00429611
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_00426E30
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042A6E0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041D690
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then add ebx, 02h	0_2_00436E90
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	0_2_004376A0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ecx, eax	0_2_0041CF70
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 67F3D776h	0_2_0042CF7E
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0Ch]	0_2_0041BF22
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0000008Eh]	0_2_0040DF8D
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+20h]	0_2_00427F98
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-02h]	0_2_00439FA0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-74BB2F52h]	0_2_00439FA0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_024A4246
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-02h]	0_2_024BA207
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-74BB2F52h]	0_2_024BA207
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-1F0C3802h]	0_2_0249A307
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_024AB3C7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, ecx	0_2_024AD3E7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [esi]	0_2_02496019
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_024BE0D7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then add ebx, 02h	0_2_024B70F7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_024A7097
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ecx-00000258h]	0_2_0248A0A7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 67F3D776h	0_2_024AD1E5
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0000008Eh]	0_2_0248E1F4
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0Ch]	0_2_0249C189
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	0_2_024966D3
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then jmp eax	0_2_024BB6D5
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then jmp eax	0_2_024BB6FE
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ecx, eax	0_2_02495779
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_024877D7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_024877D7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_024947A7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [edx]	0_2_024967B3
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edi]	0_2_02488467
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, ecx	0_2_024AD47B
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, ecx	0_2_024AD4CD
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_024B846B
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov dword ptr [esp+4Ch], C12EDF34h	0_2_024A44E1
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then jmp eax	0_2_024AA4F5
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, ecx	0_2_024AD4BE
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ecx, eax	0_2_0249D54A
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	0_2_02497584
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93AD00A8h	0_2_02497584
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov esi, edx	0_2_024A9A63
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then push esi	0_2_024A9A0A
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_024ACABD
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1AA2111Dh]	0_2_024BEB47
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_024A2B57
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000010D0h]	0_2_024A4B27
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 67F3D776h	0_2_024B7B37
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_024B4807
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+19E15398h]	0_2_024A88C2
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0249D8F7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [ecx], ax	0_2_024BB8B0
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_024AA947
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	0_2_024B793B
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_024ABE4C
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-48h]	0_2_024A4E47
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov esi, edx	0_2_024A9E63
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	0_2_02482E17
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_024ACE29
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_024ABE22
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ecx, edx	0_2_0248AE27
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B1025CF1h	0_2_024BBEC1
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov edx, eax	0_2_024ABE80
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_024ABE80
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ecx, eax	0_2_024A2EB7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_024A2EB7
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+38F6967Eh]	0_2_0248BF5E
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+20h]	0_2_024A7F03
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_024AAF17
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov ebx, ecx	0_2_024A3C11
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_024ABC8F
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_024ABC8F
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then jmp eax	0_2_024A7C96
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	0_2_0249ED27
Source: C:\Users\user\Desktop\davies.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+4D4614C0h]	0_2_0249BD87

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.9:53866 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.9:51310 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.9:56573 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.9:65206 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058285 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz) : 192.168.2.9:49653 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.9:56652 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.9:50035 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.9:54451 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.9:49473 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.9:49754 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: spellshagey.biz
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: immureprech.biz

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: deafeninggeh.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: effecterectz.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wrathful-jammy.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: immureprech.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: spellshagey.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: debonairnukk.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: diffuculttan.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sordid-snaked.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: awake-weaves.cyou replaycode: Name error (3)

Source: global traffic

TCP traffic: 192.168.2.9:56526 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49754 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://s equals www.youtube.com (Youtube)
Source: davies.exe, 00000000.00000003.1410862545.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=7b1f833df124b8d8e24a4284; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 10 Jan 2025 11:01:54 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlK equals www.youtube.com (Youtube)
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: teambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: spellshagey.biz
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: davies.exe, 00000000.00000003.1397427953.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/
Source: davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/api
Source: davies.exe, 00000000.00000003.1397427953.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/ikE
Source: davies.exe, 00000000.00000003.1397427953.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/~
Source: davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/
Source: davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/;E
Source: davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/CE
Source: davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/api
Source: davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/apiCD
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: davies.exe, 00000000.00000003.1397427953.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/R
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: davies.exe, 00000000.00000003.1410862545.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/a
Source: davies.exe, 00000000.00000002.1589406429.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/cE
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: davies.exe, 00000000.00000002.1589406429.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: davies.exe, 00000000.00000003.1410862545.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410862545.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: davies.exe, 00000000.00000003.1410862545.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shopv
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410862545.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49754 version: TLS 1.2

Source: C:\Users\user\Desktop\davies.exe

Code function: 0_2_00431EF0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00431EF0

Source: C:\Users\user\Desktop\davies.exe

Code function: 0_2_00431EF0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00431EF0

Source: C:\Users\user\Desktop\davies.exe

Code function: 0_2_00432060 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00432060

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1589369716.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_004089E0	0_2_004089E0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0040B406	0_2_0040B406
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042C856	0_2_0042C856
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042786E	0_2_0042786E
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00415871	0_2_00415871
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00428005	0_2_00428005
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_004300C0	0_2_004300C0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_004378D0	0_2_004378D0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043E8E0	0_2_0043E8E0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_004098F0	0_2_004098F0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00438089	0_2_00438089
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041E8A0	0_2_0041E8A0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041A0A0	0_2_0041A0A0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_004150B0	0_2_004150B0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041B8B0	0_2_0041B8B0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00429940	0_2_00429940
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00416152	0_2_00416152
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00405910	0_2_00405910
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00409120	0_2_00409120
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041E120	0_2_0041E120
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00403930	0_2_00403930
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042D180	0_2_0042D180
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041498C	0_2_0041498C
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042E1B4	0_2_0042E1B4
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043B24F	0_2_0043B24F
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042D257	0_2_0042D257
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043E260	0_2_0043E260
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042D266	0_2_0042D266
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00429275	0_2_00429275
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042D214	0_2_0042D214
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00428A1C	0_2_00428A1C
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041EAC0	0_2_0041EAC0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00431AC0	0_2_00431AC0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00439AD0	0_2_00439AD0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_004042E0	0_2_004042E0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00419A85	0_2_00419A85
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00428A93	0_2_00428A93
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042C294	0_2_0042C294
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0040DAA4	0_2_0040DAA4
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00424B57	0_2_00424B57
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00425B60	0_2_00425B60
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00435373	0_2_00435373
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00417B7D	0_2_00417B7D
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00406300	0_2_00406300
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043A300	0_2_0043A300
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00426B10	0_2_00426B10
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00426320	0_2_00426320
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042332F	0_2_0042332F
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0040ABC0	0_2_0040ABC0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042CBC2	0_2_0042CBC2
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00427BD5	0_2_00427BD5
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00436BE0	0_2_00436BE0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_004093F0	0_2_004093F0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_004463BF	0_2_004463BF
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00436440	0_2_00436440
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00410C48	0_2_00410C48
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00422C50	0_2_00422C50
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00418C0E	0_2_00418C0E
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00404C10	0_2_00404C10
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043CCE0	0_2_0043CCE0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00414540	0_2_00414540
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041E540	0_2_0041E540
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00407570	0_2_00407570
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041B5C0	0_2_0041B5C0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043CDE0	0_2_0043CDE0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00416DF8	0_2_00416DF8
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00415D8A	0_2_00415D8A
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043E5A0	0_2_0043E5A0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00415649	0_2_00415649
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00428E72	0_2_00428E72
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00424600	0_2_00424600
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0040D60B	0_2_0040D60B
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00423E10	0_2_00423E10
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00429611	0_2_00429611
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041DE20	0_2_0041DE20
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00436E90	0_2_00436E90
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00411754	0_2_00411754
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043AF5E	0_2_0043AF5E
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00419761	0_2_00419761
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042576B	0_2_0042576B
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041CF70	0_2_0041CF70
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042CF7E	0_2_0042CF7E
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042BF1D	0_2_0042BF1D
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0041BF22	0_2_0041BF22
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00402F30	0_2_00402F30
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00405F30	0_2_00405F30
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00423732	0_2_00423732
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00426FD4	0_2_00426FD4
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00425FF0	0_2_00425FF0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043CF80	0_2_0043CF80
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0040DF8D	0_2_0040DF8D
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00406790	0_2_00406790
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0042BF9C	0_2_0042BF9C
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00439FA0	0_2_00439FA0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043DFA0	0_2_0043DFA0
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00AFA8A9	0_2_00AFA8A9
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024A6257	0_2_024A6257
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249D275	0_2_0249D275
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024AC203	0_2_024AC203
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BA207	0_2_024BA207
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BE207	0_2_024BE207
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249A307	0_2_0249A307
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024B0327	0_2_024B0327
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024AD3E7	0_2_024AD3E7
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249E387	0_2_0249E387
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02489387	0_2_02489387
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024963B9	0_2_024963B9
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249705F	0_2_0249705F
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02496019	0_2_02496019
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024A90EA	0_2_024A90EA
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024B70F7	0_2_024B70F7
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249E087	0_2_0249E087
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BB1C5	0_2_024BB1C5
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024AD1E5	0_2_024AD1E5
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0248E1F4	0_2_0248E1F4
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249C189	0_2_0249C189
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024AC184	0_2_024AC184
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02483197	0_2_02483197
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02486197	0_2_02486197
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02489657	0_2_02489657
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024B66A7	0_2_024B66A7
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024877D7	0_2_024877D7
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249E7A7	0_2_0249E7A7
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024AD47B	0_2_024AD47B
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024AE41B	0_2_024AE41B
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02498432	0_2_02498432
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024AD4CD	0_2_024AD4CD
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BE4C7	0_2_024BE4C7
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024A94DC	0_2_024A94DC
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024AC4FB	0_2_024AC4FB
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024AD4BE	0_2_024AD4BE
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BB4B6	0_2_024BB4B6
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02484547	0_2_02484547
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BA567	0_2_024BA567
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02486567	0_2_02486567
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024B55DA	0_2_024B55DA
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02497584	0_2_02497584
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024ACABD	0_2_024ACABD
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BEB47	0_2_024BEB47
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02489B57	0_2_02489B57
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02485B77	0_2_02485B77
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249EB07	0_2_0249EB07
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249BB17	0_2_0249BB17
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024B7B37	0_2_024B7B37
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02483B97	0_2_02483B97
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0248D872	0_2_0248D872
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BE807	0_2_024BE807
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249B827	0_2_0249B827
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024978E5	0_2_024978E5
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249888D	0_2_0249888D
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024968B9	0_2_024968B9
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024999C8	0_2_024999C8
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024A89F9	0_2_024A89F9
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024869F7	0_2_024869F7
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024919BB	0_2_024919BB
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024B6E47	0_2_024B6E47
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024A4E47	0_2_024A4E47
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02484E77	0_2_02484E77
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024ACE29	0_2_024ACE29
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0248AE27	0_2_0248AE27
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02490EAF	0_2_02490EAF
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024A2EB7	0_2_024A2EB7
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02488C47	0_2_02488C47
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024A6D77	0_2_024A6D77
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024B1D27	0_2_024B1D27
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0249ED27	0_2_0249ED27
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024B9D37	0_2_024B9D37

Source: C:\Users\user\Desktop\davies.exe	Code function: String function: 02488367 appears 74 times
Source: C:\Users\user\Desktop\davies.exe	Code function: String function: 02494797 appears 71 times
Source: C:\Users\user\Desktop\davies.exe	Code function: String function: 00408100 appears 35 times
Source: C:\Users\user\Desktop\davies.exe	Code function: String function: 00414530 appears 71 times

Source: C:\Users\user\Desktop\davies.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 892

Source: davies.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1589369716.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: davies.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@11/1

Source: C:\Users\user\Desktop\davies.exe

Code function: 0_2_00AFB41E CreateToolhelp32Snapshot,Module32First,

0_2_00AFB41E

Source: C:\Users\user\Desktop\davies.exe

Code function: 0_2_0042F94E CoCreateInstance,

0_2_0042F94E

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7736

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2341e587-b8cd-475c-9cac-81a752dd93c9

Jump to behavior

Source: davies.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\davies.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: davies.exe	Virustotal: Detection: 79%
Source: davies.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\davies.exe

File read: C:\Users\user\Desktop\davies.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\davies.exe "C:\Users\user\Desktop\davies.exe"
Source: C:\Users\user\Desktop\davies.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 892

Source: C:\Users\user\Desktop\davies.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\davies.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\davies.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\davies.exe

Unpacked PE file: 0.2.davies.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\davies.exe

Unpacked PE file: 0.2.davies.exe.400000.0.unpack

Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00445441 push ebp; iretd	0_2_00445442
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0043CC90 push eax; mov dword ptr [esp], FBFAF9C8h	0_2_0043CC92
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00439EF0 push eax; mov dword ptr [esp], 0A0B0C0Dh	0_2_00439EFE
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00AFFD18 pushad ; ret	0_2_00AFFD19
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00AFDE37 pushad ; ret	0_2_00AFDE38
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BA157 push eax; mov dword ptr [esp], 0A0B0C0Dh	0_2_024BA165
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_024BCEF7 push eax; mov dword ptr [esp], FBFAF9C8h	0_2_024BCEF9

Source: davies.exe

Static PE information: section name: .text entropy: 7.368670704288655

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\davies.exe TID: 7824

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: davies.exe, 00000000.00000002.1589406429.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410862545.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: davies.exe, 00000000.00000003.1410862545.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW]
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\davies.exe

Code function: 0_2_0043B540 LdrInitializeThunk,

0_2_0043B540

Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_00AFACFB push dword ptr fs:[00000030h]	0_2_00AFACFB
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_0248092B mov eax, dword ptr fs:[00000030h]	0_2_0248092B
Source: C:\Users\user\Desktop\davies.exe	Code function: 0_2_02480D90 mov eax, dword ptr fs:[00000030h]	0_2_02480D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: davies.exe	String found in binary or memory: debonairnukk.xyz
Source: davies.exe	String found in binary or memory: diffuculttan.xyz
Source: davies.exe	String found in binary or memory: effecterectz.xyz
Source: davies.exe	String found in binary or memory: deafeninggeh.biz
Source: davies.exe	String found in binary or memory: immureprech.biz
Source: davies.exe	String found in binary or memory: spellshagey.biz

Source: C:\Users\user\Desktop\davies.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
davies.exe	79%	Virustotal		Browse
davies.exe	74%	ReversingLabs	Win32.Trojan.Lummac
davies.exe	100%	Avira	HEUR/AGEN.1312567
davies.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://effecterectz.xyz/;E	100%	Avira URL Cloud	malware
https://deafeninggeh.biz/~	100%	Avira URL Cloud	malware
https://immureprech.biz/R	100%	Avira URL Cloud	malware
spellshagey.biz	100%	Avira URL Cloud	malware
https://deafeninggeh.biz/ikE	100%	Avira URL Cloud	malware
https://effecterectz.xyz/CE	100%	Avira URL Cloud	malware
https://effecterectz.xyz/apiCD	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
sordid-snaked.cyou	unknown	unknown	false	high
diffuculttan.xyz	unknown	unknown	false	high
effecterectz.xyz	unknown	unknown	false	high
241.42.69.40.in-addr.arpa	unknown	unknown	false	high
spellshagey.biz	unknown	unknown	true	unknown
awake-weaves.cyou	unknown	unknown	false	high
immureprech.biz	unknown	unknown	false	high
wrathful-jammy.cyou	unknown	unknown	false	high
deafeninggeh.biz	unknown	unknown	false	high
debonairnukk.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sordid-snaked.cyou	false		high
deafeninggeh.biz	false		high
diffuculttan.xyz	false		high
effecterectz.xyz	false		high
wrathful-jammy.cyou	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
awake-weaves.cyou	false		high
immureprech.biz	false		high
debonairnukk.xyz	false		high
spellshagey.biz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://player.vimeo.com	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz/	davies.exe, 00000000.00000003.1397427953.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz/ikE	davies.exe, 00000000.00000003.1397427953.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/apiCD	davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://recaptcha.net/recaptcha/;	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://medal.tv	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410862545.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz/~	davies.exe, 00000000.00000003.1397427953.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/;E	davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	davies.exe, 00000000.00000003.1410862545.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/CE	davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/legal/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steam.tv/	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://recaptcha.net	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://effecterectz.xyz/	davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://immureprech.biz/R	davies.exe, 00000000.00000003.1397427953.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/a	davies.exe, 00000000.00000003.1410862545.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz/api	davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/api	davies.exe, 00000000.00000003.1397644791.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/cE	davies.exe, 00000000.00000002.1589406429.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589406429.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shopv	davies.exe, 00000000.00000003.1410827678.0000000003181000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	davies.exe, 00000000.00000002.1589603265.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	davies.exe, 00000000.00000003.1410862545.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410862545.0000000000BAC000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1589603265.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410946691.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	davies.exe, 00000000.00000002.1590324827.0000000003189000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000003.1410827678.0000000003186000.00000004.00000800.00020000.00000000.sdmp, davies.exe, 00000000.00000002.1590324827.0000000003180000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587454
Start date and time:	2025-01-10 12:00:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	davies.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@11/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 16 Number of non-executed functions: 235
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.45, 20.190.160.20, 20.109.210.53, 40.69.42.241, 4.175.87.197, 52.149.20.212
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:01:52	API Interceptor	3x Sleep call for process: davies.exe modified
06:02:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	expt64.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	expt64.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	expt64.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_davies.exe_29fd3e8dcedd613489effaa59241548738ccf_5c1024ad_96061568-cc38-4712-b8f8-57b6107eb496\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9219948598166965
Encrypted:	false
SSDEEP:	192:BZDzGh8w1V0mPe7+PnAjur1zuiFc/Z24IO8EAM:7z28w12mPe7+4jQzuiFc/Y4IO8ET
MD5:	CF19C75F7607F2E2DBD6999B1FADAE5E
SHA1:	6CF7F8F2E2C553D3ED49B2A622BA563B873C895F
SHA-256:	34EA6CB779F0BEFD82AF55D0742925CC31F9F508919829D3C01869ABD750FBA6
SHA-512:	3CD2228E110E6086A3AE62702AED8D5493D71D79345647704A535BD786D17D1083AE6AFC7A586B0024B991210BA3132616D351C859408F48FBD0E86F006E27D0
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.8.0.5.1.4.6.5.0.2.6.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.8.0.5.1.5.5.4.0.8.9.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.0.6.1.5.6.8.-.c.c.3.8.-.4.7.1.2.-.b.8.f.8.-.5.7.b.6.1.0.7.e.b.4.9.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.4.f.9.6.9.6.-.b.9.b.6.-.4.e.e.b.-.9.2.8.8.-.0.f.9.5.3.b.c.e.7.b.b.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.a.v.i.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.3.8.-.0.0.0.1.-.0.0.1.4.-.4.0.b.5.-.c.7.0.c.4.f.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.4.5.a.0.d.d.b.7.0.5.d.6.c.d.1.9.7.6.0.0.4.5.7.3.6.e.8.6.b.d.0.0.0.0.0.f.f.f.f.!.0.0.0.0.a.5.f.a.9.d.c.8.d.9.8.c.6.e.9.f.9.d.e.2.3.c.b.f.6.4.5.6.d.6.a.7.0.b.3.8.4.f.d.d.!.d.a.v.i.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER247D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Jan 10 11:01:54 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	43702
Entropy (8bit):	2.5616878665941725
Encrypted:	false
SSDEEP:	192:GCgDXUpHCgMpBzO2BHuHEao5hV/kQXb4zdGjIRV9iUWThFg87ZpZ:dHuBq2BHasV/wzTR+FThi6j
MD5:	DE75F226B8793C5E9D9826CB8CCFDB55
SHA1:	7AA7B203582A94722D9A33DD5DB2E240CEC58F1A
SHA-256:	598B5E48D302441EB44338077A3E2F0BC8D9A6B824A1641EEC0FE3EE1A06672A
SHA-512:	9CE0441FF34BB9C1D7AE8BE64ADA8F63C999770A0ADD291280D88441800DEB13CF112B3CB101C9710DC0157CACF3C3826C5A94BEB421EC751919C4A10129AB99
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ......."..g............4...........D...H...................T....*..........`.......8...........T............<...m......................................................................................................eJ..............GenuineIntel............T.......8......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER25F5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8286
Entropy (8bit):	3.6956300895465586
Encrypted:	false
SSDEEP:	192:R6l7wVeJwt6446YcD5lSUvXgmfYaa8pDT89b2zsfjSm:R6lXJa6l6YOlSUvXgmfYaaV2Yfn
MD5:	B017E3F145D92DB036821AE281ABE2AD
SHA1:	86B2BAC3C45FE517850BE1B79E7667CBA5342589
SHA-256:	D733E9171177175A9E01EB387D6FC95345E86D512D023B164065B010621B110B
SHA-512:	AE349D4F7FA758A89D9308D445AAD4F90B7C1295BC5B93DCF14C311EB5F92F576AD477A7D673D52402A6954716D35FDBD06E9D940AF3C6B6B058F08C2C6F6002
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26B2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.42919629527476
Encrypted:	false
SSDEEP:	48:cvIwWl8zs2NJg77aI9adWpW8VY8Ym8M4JAZF++q8wJxdEHhQd:uIjfCI78s7VwJLjxduhQd
MD5:	FFB6A724959677F56025FA70F0756C6D
SHA1:	5353C8EA6EAC4AE9FE4D85675AD6F102D53FC2FD
SHA-256:	E4A38E38085D23EA050AD32C95C98F5B207B8146F9BBC658881D33856244B915
SHA-512:	5469C64CE307514B9FD9CFE49A6E82B4D4CBA7E8F86F09FBEAB72134673681EC80C4683B17983AE3458015DF0254B5B107081AEE4057E47772B3289AF9353FBB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="669724" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.393789363825858
Encrypted:	false
SSDEEP:	6144:al4fiJoH0ncNXiUjt10qOG/gaocYGBoaUMMhA2NX4WABlBuNAmOBSqa:K4vFOMYQUMM6VFYSmU
MD5:	7644E70CF3A7B8DC79D3B96B110C6459
SHA1:	AAC55454B8084CC043D424BE9764DB1053616AF2
SHA-256:	1A18B1DC994DC5A9E72D64840C3291DF562DF90CB7F7E2035ACF74B8DE59C3AA
SHA-512:	6F7F9C4C0790FF89740F44625E33EDB7E3D1737C2E88272F9950EC84F8110EDC967EC7D871264F4738C842AC5323E0C4D880CFAFBDEA034B9504AF5066A19033
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ.&.Oc................................................................................................................................................................................................................................................................................................................................................1;........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.610586003963148
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	davies.exe
File size:	388'608 bytes
MD5:	7d101b7e062d99e8b7914e7d43dfc23b
SHA1:	a5fa9dc8d98c6e9f9de23cbf6456d6a70b384fdd
SHA256:	5169bb87481b683a2f1043ff15708455d3d889b5c1d95ab107d2ef8fb9e20aee
SHA512:	fc482d0541d7fe1d8acf66d047e879ed011bfa58f9fd594c20d7dc20a11a1c5b5f1d9ea35c47e1af4f58b2ccb925523c180afc997743de53a7910a888d7adf72
SSDEEP:	3072:xaRuoiN6X5ZEHYi2z5hLY4eBwHpV1FKKtHv8TDYJ7wenpXI2kWex76oVcT1LYAxy:E0CZE4D5vrvRx5dpXIAPlYA9WPVmvU
TLSH:	EA84CF7176FDA452E7BB8631F97CCAA4293FB8A36F34910B2325675F1D303918622712
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0M..t,x.t,x.t,x..c..u,x.j~..j,x.j~..`,x.j~...,x.S...},x.t,y..,x.j~..u,x.j~..u,x.j~..u,x.Richt,x.................PE..L...n..e...

File Icon


Icon Hash:	151a131212911409

Static PE Info

General

Entrypoint:	0x4017d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D1916E [Sun Feb 18 05:11:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e0621930c1d4136168cf93afb98f4239

Entrypoint Preview

Instruction
call 00007FA8A9C99392h
jmp 00007FA8A9C967DDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00446C18h], eax
mov dword ptr [00446C14h], ecx
mov dword ptr [00446C10h], edx
mov dword ptr [00446C0Ch], ebx
mov dword ptr [00446C08h], esi
mov dword ptr [00446C04h], edi
mov word ptr [00446C30h], ss
mov word ptr [00446C24h], cs
mov word ptr [00446C00h], ds
mov word ptr [00446BFCh], es
mov word ptr [00446BF8h], fs
mov word ptr [00446BF4h], gs
pushfd
pop dword ptr [00446C28h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00446C1Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00446C20h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00446C2Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00446B68h], 00010001h
mov eax, dword ptr [00446C20h]
mov dword ptr [00446B1Ch], eax
mov dword ptr [00446B10h], C0000409h
mov dword ptr [00446B14h], 00000001h
mov eax, dword ptr [00444004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00444008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000B0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x429ec	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41f000	0x16020	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x41000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3f35c	0x3f400	9d7f27b3faca5ed7d7fe8ce0b70e7746	False	0.8032863451086957	data	7.368670704288655	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x41000	0x22cc	0x2400	4ec957191c81b3d7dcbf5ae2bb1c0d7f	False	0.357421875	data	5.3995982022182725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x44000	0x3da548	0x7000	4224ed99e97faed7444b0ce614216236	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x41f000	0x16020	0x16200	da515f53ba108c6ac7bcfa222200e7ae	False	0.4417703919491525	data	4.831773519344492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x430b20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_ICON	0x41f810	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.5189232409381663
RT_ICON	0x4206b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.5717509025270758
RT_ICON	0x420f60	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.6105990783410138
RT_ICON	0x421628	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.6502890173410405
RT_ICON	0x421b90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.42147302904564315
RT_ICON	0x424138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.4910881801125704
RT_ICON	0x4251e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.48565573770491804
RT_ICON	0x425b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.5957446808510638
RT_ICON	0x426048	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkmen	Turkmenistan	0.35287846481876334
RT_ICON	0x426ef0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkmen	Turkmenistan	0.5040613718411552
RT_ICON	0x427798	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkmen	Turkmenistan	0.5737327188940092
RT_ICON	0x427e60	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkmen	Turkmenistan	0.6098265895953757
RT_ICON	0x4283c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkmen	Turkmenistan	0.34380863039399623
RT_ICON	0x429470	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkmen	Turkmenistan	0.33811475409836067
RT_ICON	0x429df8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkmen	Turkmenistan	0.39361702127659576
RT_ICON	0x42a2c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkmen	Turkmenistan	0.3392857142857143
RT_ICON	0x42b170	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkmen	Turkmenistan	0.4629963898916967
RT_ICON	0x42ba18	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkmen	Turkmenistan	0.49827188940092165
RT_ICON	0x42c0e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkmen	Turkmenistan	0.5325144508670521
RT_ICON	0x42c648	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkmen	Turkmenistan	0.425
RT_ICON	0x42ebf0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkmen	Turkmenistan	0.4343339587242026
RT_ICON	0x42fc98	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkmen	Turkmenistan	0.43524590163934423
RT_ICON	0x430620	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkmen	Turkmenistan	0.4512411347517731
RT_STRING	0x431b98	0x4fe	data			0.43661971830985913
RT_STRING	0x432098	0x66	data			0.6862745098039216
RT_STRING	0x432100	0x776	data			0.42670157068062825
RT_STRING	0x432878	0x54c	data			0.4476401179941003
RT_STRING	0x432dc8	0x7e0	data			0.42162698412698413
RT_STRING	0x4335a8	0x6da	data			0.4298745724059293
RT_STRING	0x433c88	0x756	data			0.422790202342918
RT_STRING	0x4343e0	0x63c	data			0.43796992481203006
RT_STRING	0x434a20	0x5fa	data			0.43790849673202614
RT_ACCELERATOR	0x430b00	0x20	data			1.15625
RT_GROUP_CURSOR	0x4319c8	0x14	data			1.25
RT_GROUP_ICON	0x430a88	0x76	data	Turkmen	Turkmenistan	0.6694915254237288
RT_GROUP_ICON	0x42a260	0x68	data	Turkmen	Turkmenistan	0.7115384615384616
RT_GROUP_ICON	0x425fd0	0x76	data	Turkmen	Turkmenistan	0.6610169491525424
RT_VERSION	0x4319e0	0x1b4	data			0.5711009174311926

Imports

DLL	Import
KERNEL32.dll	SetDefaultCommConfigA, SetLocaleInfoA, GetNumaProcessorNode, InterlockedDecrement, SetComputerNameW, GetProcessPriorityBoost, GetModuleHandleW, GetEnvironmentStrings, LoadLibraryW, GetVersionExW, DeleteVolumeMountPointW, GetTimeFormatW, GetConsoleAliasW, GetFileAttributesW, GetStartupInfoA, SetLastError, GetProcAddress, UnregisterWait, BuildCommDCBW, ResetEvent, LoadLibraryA, Process32Next, LocalAlloc, GetFileType, AddAtomW, FoldStringW, GetModuleFileNameA, GetModuleHandleA, UpdateResourceW, WriteConsoleOutputAttribute, OpenFileMappingA, WriteProcessMemory, SetFileAttributesA, GetCommandLineW, CreateFileA, WriteConsoleW, MultiByteToWideChar, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, GetLastError, Sleep, HeapSize, ExitProcess, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WriteFile, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, HeapAlloc, HeapReAlloc, VirtualAlloc, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP
USER32.dll	GetProcessDefaultLayout
GDI32.dll	GetBitmapBits

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkmen	Turkmenistan

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T12:01:53.569584+0100	2058285	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz)	1	192.168.2.9	49653	1.1.1.1	53	UDP
2025-01-10T12:01:53.584727+0100	2058222	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)	1	192.168.2.9	49473	1.1.1.1	53	UDP
2025-01-10T12:01:53.597043+0100	2058214	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)	1	192.168.2.9	56573	1.1.1.1	53	UDP
2025-01-10T12:01:53.663506+0100	2058220	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)	1	192.168.2.9	50035	1.1.1.1	53	UDP
2025-01-10T12:01:53.726870+0100	2058218	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)	1	192.168.2.9	65206	1.1.1.1	53	UDP
2025-01-10T12:01:53.739258+0100	2058216	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)	1	192.168.2.9	53866	1.1.1.1	53	UDP
2025-01-10T12:01:53.750988+0100	2058236	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)	1	192.168.2.9	56652	1.1.1.1	53	UDP
2025-01-10T12:01:53.761664+0100	2058210	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)	1	192.168.2.9	54451	1.1.1.1	53	UDP
2025-01-10T12:01:53.772233+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.9	51310	1.1.1.1	53	UDP
2025-01-10T12:01:54.435111+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49754	104.102.49.254	443	TCP
2025-01-10T12:01:54.903469+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.9	49754	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 12:01:53.800147057 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:53.800196886 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:53.800268888 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:53.803190947 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:53.803210020 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.434993029 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.435111046 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.438848019 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.438864946 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.439097881 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.488822937 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.496335030 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.539341927 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.903438091 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.903459072 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.903490067 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.903493881 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.903512955 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.903532028 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.903543949 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.903551102 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.903597116 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.903597116 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.991079092 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.991118908 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.991154909 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.991178989 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.991229057 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.993628025 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.993647099 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:01:54.993657112 CET	49754	443	192.168.2.9	104.102.49.254
Jan 10, 2025 12:01:54.993669033 CET	443	49754	104.102.49.254	192.168.2.9
Jan 10, 2025 12:02:22.731709957 CET	56526	53	192.168.2.9	162.159.36.2
Jan 10, 2025 12:02:22.736514091 CET	53	56526	162.159.36.2	192.168.2.9
Jan 10, 2025 12:02:22.736602068 CET	56526	53	192.168.2.9	162.159.36.2
Jan 10, 2025 12:02:22.741386890 CET	53	56526	162.159.36.2	192.168.2.9
Jan 10, 2025 12:02:23.222454071 CET	56526	53	192.168.2.9	162.159.36.2
Jan 10, 2025 12:02:23.227510929 CET	53	56526	162.159.36.2	192.168.2.9
Jan 10, 2025 12:02:23.227574110 CET	56526	53	192.168.2.9	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 12:01:53.569583893 CET	49653	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.578947067 CET	53	49653	1.1.1.1	192.168.2.9
Jan 10, 2025 12:01:53.584727049 CET	49473	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.594655991 CET	53	49473	1.1.1.1	192.168.2.9
Jan 10, 2025 12:01:53.597043037 CET	56573	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.606597900 CET	53	56573	1.1.1.1	192.168.2.9
Jan 10, 2025 12:01:53.663506031 CET	50035	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.673001051 CET	53	50035	1.1.1.1	192.168.2.9
Jan 10, 2025 12:01:53.726870060 CET	65206	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.736160040 CET	53	65206	1.1.1.1	192.168.2.9
Jan 10, 2025 12:01:53.739258051 CET	53866	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.748708963 CET	53	53866	1.1.1.1	192.168.2.9
Jan 10, 2025 12:01:53.750988007 CET	56652	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.760392904 CET	53	56652	1.1.1.1	192.168.2.9
Jan 10, 2025 12:01:53.761663914 CET	54451	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.770843029 CET	53	54451	1.1.1.1	192.168.2.9
Jan 10, 2025 12:01:53.772233009 CET	51310	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.784847021 CET	53	51310	1.1.1.1	192.168.2.9
Jan 10, 2025 12:01:53.787693977 CET	55609	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:01:53.794828892 CET	53	55609	1.1.1.1	192.168.2.9
Jan 10, 2025 12:02:22.731045961 CET	53	65055	162.159.36.2	192.168.2.9
Jan 10, 2025 12:02:23.230989933 CET	63541	53	192.168.2.9	1.1.1.1
Jan 10, 2025 12:02:23.237903118 CET	53	63541	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 12:01:53.569583893 CET	192.168.2.9	1.1.1.1	0x2434	Standard query (0)	spellshagey.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.584727049 CET	192.168.2.9	1.1.1.1	0xf879	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.597043037 CET	192.168.2.9	1.1.1.1	0xb638	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.663506031 CET	192.168.2.9	1.1.1.1	0xe7f7	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.726870060 CET	192.168.2.9	1.1.1.1	0x4ad5	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.739258051 CET	192.168.2.9	1.1.1.1	0x23b	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.750988007 CET	192.168.2.9	1.1.1.1	0xac0	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.761663914 CET	192.168.2.9	1.1.1.1	0x8971	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.772233009 CET	192.168.2.9	1.1.1.1	0x3cef	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.787693977 CET	192.168.2.9	1.1.1.1	0x2132	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:02:23.230989933 CET	192.168.2.9	1.1.1.1	0xff5c	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 12:01:53.578947067 CET	1.1.1.1	192.168.2.9	0x2434	Name error (3)	spellshagey.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.594655991 CET	1.1.1.1	192.168.2.9	0xf879	Name error (3)	immureprech.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.606597900 CET	1.1.1.1	192.168.2.9	0xb638	Name error (3)	deafeninggeh.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.673001051 CET	1.1.1.1	192.168.2.9	0xe7f7	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.736160040 CET	1.1.1.1	192.168.2.9	0x4ad5	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.748708963 CET	1.1.1.1	192.168.2.9	0x23b	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.760392904 CET	1.1.1.1	192.168.2.9	0xac0	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.770843029 CET	1.1.1.1	192.168.2.9	0x8971	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.784847021 CET	1.1.1.1	192.168.2.9	0x3cef	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:01:53.794828892 CET	1.1.1.1	192.168.2.9	0x2132	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 10, 2025 12:02:23.237903118 CET	1.1.1.1	192.168.2.9	0xff5c	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49754	104.102.49.254	443	7736	C:\Users\user\Desktop\davies.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 11:01:54 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-10 11:01:54 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 10 Jan 2025 11:01:54 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=7b1f833df124b8d8e24a4284; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-10 11:01:54 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-10 11:01:54 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	06:01:50
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\davies.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\davies.exe"
Imagebase:	0x400000
File size:	388'608 bytes
MD5 hash:	7D101B7E062D99E8B7914E7D43DFC23B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1589369716.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:01:54
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 892
Imagebase:	0xc60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	40.3%
Signature Coverage:	45.8%
Total number of Nodes:	72
Total number of Limit Nodes:	7

Executed Functions

Function 0040B406 Relevance: 9.2, Strings: 7, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!hij, xrefs: 0040B738
%D$F, xrefs: 0040B706
,p&r, xrefs: 0040B724
<@ B, xrefs: 0040B6FC
x0T2, xrefs: 0040B684
$|(~, xrefs: 0040B71A
-t&v, xrefs: 0040B72E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: !hij$$|(~$%D$F$,p&r$-t&v$<@ B$x0T2
API String ID: 0-2398737378
Opcode ID: cc36970cb90afd64c1b5d136139abf7b079255cf7bb7bbab7fcaaa5b6473f7ee
Instruction ID: 99f8c0c89dd31b0ce8ec603442d68eec83d1285974430dc12138a7f3e579f288
Opcode Fuzzy Hash: cc36970cb90afd64c1b5d136139abf7b079255cf7bb7bbab7fcaaa5b6473f7ee
Instruction Fuzzy Hash: D50299B4600700CFD728CF29C895B127BB1FB45314F1586ACE95A8F7AAD775A805CFA4

Function 004089E0 Relevance: 6.1, APIs: 4, Instructions: 99
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A01
GetCurrentThreadId.KERNEL32 ref: 00408A09
GetForegroundWindow.USER32 ref: 00408A71
ExitProcess.KERNEL32 ref: 00408B1F

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: 7179407272bce60cdc6937b4fcffc8bd720db954a79fdd5ac3918b57226f4f70
Instruction ID: 16e3a023297d6285cce21037b579bc23de6c51e586bbc8d1bf9774ec88c5cea3
Opcode Fuzzy Hash: 7179407272bce60cdc6937b4fcffc8bd720db954a79fdd5ac3918b57226f4f70
Instruction Fuzzy Hash: D1316973F002182BCB186AB98D47366B5D64BC4304F0E413E6989BB3D6ED7C5C0946C8

Function 0040BCF7 Relevance: 3.8, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[,R., xrefs: 0040BD60
#$, xrefs: 0040BD4F
\ U", xrefs: 0040BD47

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: #$$[,R.$\ U"
API String ID: 0-750793529
Opcode ID: f1b01fd242b07a04e8f8bcacdafb8edcbc1296bc280c2f5b12c6c3b95147904b
Instruction ID: 60e7d295e6879848fbb1194ea7d33ac138829f76c5ea86aabfca38139a05cf14
Opcode Fuzzy Hash: f1b01fd242b07a04e8f8bcacdafb8edcbc1296bc280c2f5b12c6c3b95147904b
Instruction Fuzzy Hash: D921E276B583409FC3188E248C8139ABBE39BC2210F29983DE595D7365D979C4068B05

Function 00AFB41E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00AFB446
Module32First.KERNEL32(00000000,00000224), ref: 00AFB466

Memory Dump Source

Source File: 00000000.00000002.1589369716.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afa000_davies.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 74ceae509c523c2fc0a4747dbb39191ea2074f299437b2793802f90894252d0c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E4F0C232210718ABD7203BF5DA8DABA72F8AF48325F100228F742924C1CB70EC058A71

Function 0043B540 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043D75B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B56E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043BC5A Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

@ONM, xrefs: 0043BCA1

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID: @ONM
API String ID: 2994545307-2801865338
Opcode ID: 10c4037baaa1a3461035691c57c8bba514cdc4c51f68b58d1ee735240456ee24
Instruction ID: 66c126288edb15b1be03d662bb22b8e2252d89dbcbb921d107ff27fe6a362d93
Opcode Fuzzy Hash: 10c4037baaa1a3461035691c57c8bba514cdc4c51f68b58d1ee735240456ee24
Instruction Fuzzy Hash: E531353020414AABCB28CB18DC8163B3616FB4F321F28653EE917C779ADF309C018B88

Function 00AFA8A9 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589369716.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afa000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ffd652959ea7c881702bcf4b5141762683507fe3a7575c88c50c1fcd817a64e
Instruction ID: 41f0d86cc8a0603e58dcff49aa845de40d813daff41a4cc93dea2d8e2d99b8a1
Opcode Fuzzy Hash: 6ffd652959ea7c881702bcf4b5141762683507fe3a7575c88c50c1fcd817a64e
Instruction Fuzzy Hash: 5FE1B88640F7C91FC72397B05C696A5BF70AE23244B1E85DBD5C8CF8A3D648494AC763

Function 00409E40 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613f3ee8998684b13fb499731a3423b19704c9ffa01a7396155ed73d596b650c
Instruction ID: 773bb1a58b939dcc9829a826cd8202c9a204143afeafa677da0ea0e5930860f3
Opcode Fuzzy Hash: 613f3ee8998684b13fb499731a3423b19704c9ffa01a7396155ed73d596b650c
Instruction Fuzzy Hash: 0031A171E412588BDB28CF69CC567EBBB75EB49300F0441BDE589E7341C7388D458BA9

Function 0248003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0248024D

Strings

kernel32.dll, xrefs: 0248008F, 02480095
cess, xrefs: 0248018D

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 7b1ad8852e436fc1817e3e2aa783fdc326378ef2b8c29df7ba1e42edb9faaceb
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9B527A74A11229DFDB64CF58C984BADBBB1BF09304F1480DAE50DAB351DB30AA89CF14

Function 02480E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02480223,?,?), ref: 02480E19
SetErrorMode.KERNELBASE(00000000,?,?,02480223,?,?), ref: 02480E1E

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 625e0f7f1e1b302f448508261efaf1e752b234688f5247d6a6466c6c1b929a9e
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 85D0123215512877D7003A94DC09BDE7B1CDF05B66F008011FB0DD9180C770954046E5

Function 0043C20A Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043C3F1

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 0aa73ecefab502f87d0238491b6a79a1c80c0822a31435018b4c0b9694549fe4
Instruction ID: 0fb141bd630550d023d235e03bb0a068ea4bc92f3d49284556085a9dbf0f0789
Opcode Fuzzy Hash: 0aa73ecefab502f87d0238491b6a79a1c80c0822a31435018b4c0b9694549fe4
Instruction Fuzzy Hash: 1211C47AB405108BDF0CCF68EC926BE7762FB99305B08907DC107E7355DA389802CA59

Function 0043B4E0 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B1DD,00000000,00000001,?,?,00000000,00000000), ref: 0043B512

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b8ab5ca455b7d86b60e36ce38f21e23a901100ba5adce51ad5934b64650e32b
Instruction ID: b6d615239973c33224b8ca103be8f3a05f384056a6d2bc58008467f0f73ad7d6
Opcode Fuzzy Hash: 6b8ab5ca455b7d86b60e36ce38f21e23a901100ba5adce51ad5934b64650e32b
Instruction Fuzzy Hash: E5E02B36424361BBC2003F657C06B1B3668EF8B754F06187AF405D6121E778E801C1DF

Function 00439A90 Relevance: 1.5, APIs: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,00412CA3), ref: 00439AAE

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: accac4bdf124adb22f5a5637fe6dd63157f5b43de9a3fffb5cdd194092895033
Instruction ID: f1076ebbacd474c7597c0b9c53cb4795e21d73dddf39306e7d7a5043f366a07f
Opcode Fuzzy Hash: accac4bdf124adb22f5a5637fe6dd63157f5b43de9a3fffb5cdd194092895033
Instruction Fuzzy Hash: D2D05E34508221DBD2005F14EC45B463668EF0B261F030461B408AB172C220DC408698

Function 0043C3DD Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043C3F1

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 43d906a33079cf616210f0fb0059d934b558415631a6ba274dd12b3783835321
Instruction ID: ec05bad9c0389b36cac6b64b7751d3ebfc44111d8af745157a4c2312dec8b903
Opcode Fuzzy Hash: 43d906a33079cf616210f0fb0059d934b558415631a6ba274dd12b3783835321
Instruction Fuzzy Hash: E5E04FBAE00510CFDF14CF65EC416593762BB8E345B194079E901D3366DA38AD06CB1A

Function 00439A70 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00439A80

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 52db0f8560daf10d68f48b5be9581fe74425e7377f7876e993454923530bd23d
Instruction ID: d14ea394634640ee8a416866ac928f3a124760014de8c8652fe0493fc404303f
Opcode Fuzzy Hash: 52db0f8560daf10d68f48b5be9581fe74425e7377f7876e993454923530bd23d
Instruction Fuzzy Hash: C9C04C31445220AAD6106B15EC05BC63A549F496A1F011095B408A70718660AC818698

Function 00AFB0DD Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00AFB12E

Memory Dump Source

Source File: 00000000.00000002.1589369716.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afa000_davies.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 846d1417cab9a831f4263333b9b775400fa90c44b79608b33a403eb72af05c82
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: EF113C79A00208EFDB01DF98CA85E99BBF5EF08350F058094FA489B362D371EA50DF90

Non-executed Functions

Function 00435373 Relevance: 34.1, Strings: 27, Instructions: 313COMMON

Download Yara Rule

Strings

?, xrefs: 004355CC
9, xrefs: 004355B4
$, xrefs: 00435443
O, xrefs: 004354A1
7, xrefs: 004355AC
2, xrefs: 00435461
;, xrefs: 004355BC
%, xrefs: 004353EF
5, xrefs: 004355A4
0, xrefs: 00435479
0, xrefs: 00435481
-, xrefs: 0043540B
5, xrefs: 00435459
K, xrefs: 004354A9
D, xrefs: 00435499
>, xrefs: 0043557F
8, xrefs: 00435419
,, xrefs: 004353E1
<, xrefs: 00435576
), xrefs: 004353FD
,, xrefs: 00435435
I, xrefs: 00435491
0, xrefs: 0043569E
=, xrefs: 004355C4
;, xrefs: 00435469
7, xrefs: 00435489
c, xrefs: 004355A0

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: $$%$)$,$,$-$0$0$0$2$5$5$7$7$8$9$;$;$<$=$>$?$D$I$K$O$c
API String ID: 0-1278310319
Opcode ID: f66438ef1107ed81cddca335d8aa098e9e5b6eb95e5cfb782f53f424ee001c5f
Instruction ID: fbed2b24997769b95047de3bc88a52cd9bc89305883c9ffb242a8f2a3930c613
Opcode Fuzzy Hash: f66438ef1107ed81cddca335d8aa098e9e5b6eb95e5cfb782f53f424ee001c5f
Instruction Fuzzy Hash: B9E1D121D087E98ADB22C67C88083DDBFB15B57324F1843D9D4E9AB3D2C7740A46CB66

Function 024B55DA Relevance: 34.1, Strings: 27, Instructions: 313COMMON

Download Yara Rule

Strings

I, xrefs: 024B56F8
7, xrefs: 024B56F0
;, xrefs: 024B56D0
c, xrefs: 024B5807
0, xrefs: 024B5905
K, xrefs: 024B5710
5, xrefs: 024B56C0
5, xrefs: 024B580B
$, xrefs: 024B56AA
,, xrefs: 024B569C
D, xrefs: 024B5700
8, xrefs: 024B5680
2, xrefs: 024B56C8
9, xrefs: 024B581B
0, xrefs: 024B56E0
-, xrefs: 024B5672
), xrefs: 024B5664
<, xrefs: 024B57DD
%, xrefs: 024B5656
,, xrefs: 024B5648
O, xrefs: 024B5708
?, xrefs: 024B5833
=, xrefs: 024B582B
;, xrefs: 024B5823
0, xrefs: 024B56E8
>, xrefs: 024B57E6
7, xrefs: 024B5813

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: $$%$)$,$,$-$0$0$0$2$5$5$7$7$8$9$;$;$<$=$>$?$D$I$K$O$c
API String ID: 0-1278310319
Opcode ID: 3520f65678bd50cd584d15120946f895d35347bddff281b068816ef8e70d1f17
Instruction ID: 6e2bfe678ce9b84191f0df044842e0518d4703bea8a0edd5d9da85fcd938622e
Opcode Fuzzy Hash: 3520f65678bd50cd584d15120946f895d35347bddff281b068816ef8e70d1f17
Instruction Fuzzy Hash: C2E1A2219087E98ADB22C77C88483DDBFA15F57324F1843D9D4E96B3D2C7750A46CB62

Function 00436E90 Relevance: 33.9, APIs: 10, Strings: 9, Instructions: 647memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C,00000000), ref: 0043711D
SysAllocString.OLEAUT32(FA46F8B5), ref: 00437206
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437244
SysAllocString.OLEAUT32(FA46F8B5), ref: 0043729C
SysAllocString.OLEAUT32(FA46F8B5), ref: 00437327
VariantInit.OLEAUT32(E1E0FFF6), ref: 00437397
VariantClear.OLEAUT32(E1E0FFF6), ref: 004374C9
SysFreeString.OLEAUT32(?), ref: 004374ED
SysFreeString.OLEAUT32(?), ref: 004374F3
SysFreeString.OLEAUT32(00000000), ref: 00437500

Strings

R&^, xrefs: 0043715F
/m:o, xrefs: 004372B4
A;, xrefs: 0043714B
E5G, xrefs: 004372E4
*y5{, xrefs: 004372CC
7e#g, xrefs: 00437315
TU, xrefs: 00437304
coPQ, xrefs: 00436F05
$i/k, xrefs: 004372AC

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: $i/k$*y5{$/m:o$7e#g$A;$R&^$TU$coPQ$E5G
API String ID: 2485776651-1946897041
Opcode ID: 79a9e8f040c90b982cbc34a1def7326e6d8ea52aea20c5bf8f97e9566bda01bf
Instruction ID: 957688f558f255e0e7ff555bad3a131534093369ee1cfb722c1dc1fbac212707
Opcode Fuzzy Hash: 79a9e8f040c90b982cbc34a1def7326e6d8ea52aea20c5bf8f97e9566bda01bf
Instruction Fuzzy Hash: 072200B26083409BD3248F65C880B6BBBE2EFD9724F18892DF5D597381D778D805CB56

Function 024B70F7 Relevance: 30.4, APIs: 8, Strings: 9, Instructions: 647memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0044068C,00000000,00000001,0044067C,00000000), ref: 024B7384
SysAllocString.OLEAUT32(FA46F8B5), ref: 024B746D
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 024B74AB
SysAllocString.OLEAUT32(FA46F8B5), ref: 024B7503
SysAllocString.OLEAUT32(FA46F8B5), ref: 024B758E
VariantInit.OLEAUT32(E1E0FFF6), ref: 024B75FE
VariantClear.OLEAUT32(E1E0FFF6), ref: 024B7730
SysFreeString.OLEAUT32(00000000), ref: 024B7767

Strings

/m:o, xrefs: 024B751B
E5G, xrefs: 024B754B
7e#g, xrefs: 024B757C
$i/k, xrefs: 024B7513
R&^, xrefs: 024B73C6
coPQ, xrefs: 024B716C
*y5{, xrefs: 024B7533
TU, xrefs: 024B756B
A;, xrefs: 024B73B2

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID: String$Alloc$Variant$BlanketClearCreateFreeInitInstanceProxy
String ID: $i/k$*y5{$/m:o$7e#g$A;$R&^$TU$coPQ$E5G
API String ID: 2775254435-1946897041
Opcode ID: dcad9155d69ce425e6e29318b7459b3474ba0fd8dac4eccc67f210e19dec3fab
Instruction ID: 82fe0e5356caf4c6d86762afe783bccd4d449458afdc8f11623f0ffcd31ac033
Opcode Fuzzy Hash: dcad9155d69ce425e6e29318b7459b3474ba0fd8dac4eccc67f210e19dec3fab
Instruction Fuzzy Hash: 9122FF726483409BD314CF69C880BABFBE2EFC5724F18892DE5959B381D778D805CB66

Function 00424B57 Relevance: 28.0, Strings: 22, Instructions: 466COMMON

Download Yara Rule

Strings

2t%v, xrefs: 004253E1
\C, xrefs: 0042531A
tMvO, xrefs: 00424F09
dUgW, xrefs: 00424F1D
hz, xrefs: 00425305
^\, xrefs: 00424C24
;l9n, xrefs: 004253F5
{M, xrefs: 00425313
qAsC, xrefs: 00424EEB
tK, xrefs: 0042530C
hYn[, xrefs: 00424F27
(|?~, xrefs: 004253D0
'h8j, xrefs: 004253EB
KB, xrefs: 00424BAD, 00424BD9
4N, xrefs: 00424C1D
ReQg, xrefs: 00424F45
Z\, xrefs: 004251AE
@D, xrefs: 00424C2B
4N, xrefs: 00424D21
7p9r, xrefs: 004253D7
-`3b, xrefs: 004253FF
"d3f, xrefs: 00425409

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: KB$"d3f$'h8j$(|?~$-`3b$2t%v$4N$4N$7p9r$;l9n$@D$ReQg$\C$^\$dUgW$hYn[$hz$qAsC$tMvO$tK${M$Z\
API String ID: 0-4131999672
Opcode ID: 3412665ea954a5d1f72cbf77ed50f46baf41cbf95b39a6ec64c5615c7ed954fe
Instruction ID: be35867440bbf1f7b9754dd3d141f074c8d0cf00ddee5ceac3bf05778880b5b7
Opcode Fuzzy Hash: 3412665ea954a5d1f72cbf77ed50f46baf41cbf95b39a6ec64c5615c7ed954fe
Instruction Fuzzy Hash: D8323EB4A11315CFDB58CF19D580A99BBB1FB41300F5A82A8C9589F76ADB75C882CF84

Function 024A4E47 Relevance: 26.7, Strings: 21, Instructions: 431COMMON

Download Yara Rule

Strings

-`3b, xrefs: 024A5666
dUgW, xrefs: 024A5184
'h8j, xrefs: 024A5652
qAsC, xrefs: 024A5152
\C, xrefs: 024A5581
tMvO, xrefs: 024A5170
ReQg, xrefs: 024A51AC
4N, xrefs: 024A4E84
{M, xrefs: 024A557A
;l9n, xrefs: 024A565C
Z\, xrefs: 024A5415
hYn[, xrefs: 024A518E
7p9r, xrefs: 024A563E
hz, xrefs: 024A556C
@D, xrefs: 024A4E92
"d3f, xrefs: 024A5670
^\, xrefs: 024A4E8B
tK, xrefs: 024A5573
2t%v, xrefs: 024A5648
4N, xrefs: 024A4F88
(|?~, xrefs: 024A5637

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: "d3f$'h8j$(|?~$-`3b$2t%v$4N$4N$7p9r$;l9n$@D$ReQg$\C$^\$dUgW$hYn[$hz$qAsC$tMvO$tK${M$Z\
API String ID: 0-1400579113
Opcode ID: 77c289c3f88b24daf2dc686fb6004ed8886a2da2f6cbbabb5caf0b04d5be3892
Instruction ID: fd0ec0cc0640fad66bb8fb6d054741fe9e316d1f0c55bc72fd4e5ced629d60cd
Opcode Fuzzy Hash: 77c289c3f88b24daf2dc686fb6004ed8886a2da2f6cbbabb5caf0b04d5be3892
Instruction Fuzzy Hash: 7D322FB4A11345CFDB58CF59C580A98BBB1FB41300F6A82A8C9595F76BDB75C882CF81

Function 00431EF0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431F00
GetWindowLongW.USER32 ref: 00431F25
GetClipboardData.USER32 ref: 00431F35
GlobalLock.KERNEL32 ref: 00431F4E
GlobalUnlock.KERNEL32 ref: 0043203B
CloseClipboard.USER32 ref: 00432044

Strings

i, xrefs: 00431FC4
, xrefs: 00431FAB
%, xrefs: 00431FB5
], xrefs: 00431F97
), xrefs: 00431FA1
3, xrefs: 00431F9C
,, xrefs: 00431FB0
", xrefs: 00431FBF

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: $"$%$)$,$3$]$i
API String ID: 2832541153-1573611430
Opcode ID: 7e3f79cf8ddd22ae6e6f56a64b6e3632e3df569b0aa8eb0cc6e788f8b563eae0
Instruction ID: 2ac8f52b9fcdf01d9135f32bc7069f654f115b24f587ae1aa6c0bc2cccbff0a6
Opcode Fuzzy Hash: 7e3f79cf8ddd22ae6e6f56a64b6e3632e3df569b0aa8eb0cc6e788f8b563eae0
Instruction Fuzzy Hash: 43416E7150C7808ED301EFB8D58835FBFE0AB86308F04586EE9C997282D6B9854CC79B

Function 0041EAC0 Relevance: 13.4, Strings: 10, Instructions: 882COMMON

Download Yara Rule

Strings

Rg`9, xrefs: 0041EE70
RceK, xrefs: 0041EE7B
cajk, xrefs: 0041EE9C
fy`y, xrefs: 0041EE86
7!, xrefs: 0041EC79
qbO{, xrefs: 0041EE60
=>;, xrefs: 0041F1FA
i#Iu, xrefs: 0041EE91
7., xrefs: 0041EEBD
Exx7, xrefs: 0041EC81

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: =>;$7.$7!$Exx7$RceK$Rg`9$cajk$fy`y$i#Iu$qbO{
API String ID: 0-3602867193
Opcode ID: 33d212c96fd6814c2a11ae1e68bd0eb74c5ebe334d9edf1d89eaebbd49a5b0c8
Instruction ID: 9e67af8fc63d6b3779e1a3c3432931e917dbbd2722ca4470168be63364704561
Opcode Fuzzy Hash: 33d212c96fd6814c2a11ae1e68bd0eb74c5ebe334d9edf1d89eaebbd49a5b0c8
Instruction Fuzzy Hash: 0452487450C3918FC725CF25C8406AFBBE1AF95314F084A6EE8E54B382DB39994AC796

Function 0249ED27 Relevance: 13.4, Strings: 10, Instructions: 882COMMON

Download Yara Rule

Strings

7., xrefs: 0249F124
=>;, xrefs: 0249F461
RceK, xrefs: 0249F0E2
7!, xrefs: 0249EEE0
Exx7, xrefs: 0249EEE8
fy`y, xrefs: 0249F0ED
Rg`9, xrefs: 0249F0D7
qbO{, xrefs: 0249F0C7
cajk, xrefs: 0249F103
i#Iu, xrefs: 0249F0F8

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: =>;$7.$7!$Exx7$RceK$Rg`9$cajk$fy`y$i#Iu$qbO{
API String ID: 0-3602867193
Opcode ID: d4e465416bfe650e5f1098282e309c2c41405ef9414de7e39134a8d3124e67d1
Instruction ID: 7d6086b27aa0e42d6e32e540b5f876ef607ea5ba58a9f045df15215e201213a0
Opcode Fuzzy Hash: d4e465416bfe650e5f1098282e309c2c41405ef9414de7e39134a8d3124e67d1
Instruction Fuzzy Hash: 0E52127050C3918FCB25DF25C84076FBFE1AF82214F098A6EE4E58B791DB35950ACB92

Function 00425FF0 Relevance: 12.8, Strings: 10, Instructions: 259COMMON

Download Yara Rule

Strings

J=[?, xrefs: 0042613C
P5j7, xrefs: 0042612C
A!V#, xrefs: 00426104
)E+G, xrefs: 0042614C
A%z', xrefs: 0042610C
*+, xrefs: 004262B4
H-K/, xrefs: 0042611C
a)D+, xrefs: 00426114
H1W3, xrefs: 00426124
t9S;, xrefs: 00426134

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: )E+G$*+$A!V#$A%z'$H-K/$H1W3$J=[?$P5j7$a)D+$t9S;
API String ID: 0-1048206937
Opcode ID: dc567a36316d777da4cf3f87b8300da03738c1b31d72e3d1e72c8b640c5a5981
Instruction ID: ad026e03bf7ebb5cdd50c9cd0803b66ff92b5d3cb43946da3003fa1726a16d65
Opcode Fuzzy Hash: dc567a36316d777da4cf3f87b8300da03738c1b31d72e3d1e72c8b640c5a5981
Instruction Fuzzy Hash: 257145B1A083508BC714CF15E89166BBBF1FFD5350F55892DE8CA8B391EB389905CB86

Function 024A6257 Relevance: 12.8, Strings: 10, Instructions: 259COMMON

Download Yara Rule

Strings

H-K/, xrefs: 024A6383
t9S;, xrefs: 024A639B
A%z', xrefs: 024A6373
J=[?, xrefs: 024A63A3
H1W3, xrefs: 024A638B
P5j7, xrefs: 024A6393
)E+G, xrefs: 024A63B3
A!V#, xrefs: 024A636B
*+, xrefs: 024A651B
a)D+, xrefs: 024A637B

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: )E+G$*+$A!V#$A%z'$H-K/$H1W3$J=[?$P5j7$a)D+$t9S;
API String ID: 0-1048206937
Opcode ID: 9557d932f895b842f89375490f4d2970dc734f102eb9ccf093ac965d3f4baa98
Instruction ID: 5c47af802098625aa3066a0d3e8fb1f2a2b2ab56ee585262d0136b6298087c90
Opcode Fuzzy Hash: 9557d932f895b842f89375490f4d2970dc734f102eb9ccf093ac965d3f4baa98
Instruction Fuzzy Hash: 477124B29083408BDB14DF15C8A166BBBF5FFD5354F19891DE8CA4B390E7748905CB86

Function 004093F0 Relevance: 10.5, Strings: 8, Instructions: 466COMMON

Download Yara Rule

Strings

>7;<, xrefs: 0040943D
908#, xrefs: 0040942D
!+2j, xrefs: 0040940D
vm/;, xrefs: 0040941D
$01;, xrefs: 00409425
ne, xrefs: 0040944D
w!w4, xrefs: 00409435
]P`X, xrefs: 004094DF

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: !+2j$$01;$908#$>7;<$]P`X$ne$vm/;$w!w4
API String ID: 0-1816957969
Opcode ID: 2f581171202c42e70a312a3b38c524f9ab85c7b985f9e35208e7a3bd2d6c21d3
Instruction ID: 962811ab211e1d28570dac15bbaa77c06cd37b2d9e3f7fb8cc951b72409213e1
Opcode Fuzzy Hash: 2f581171202c42e70a312a3b38c524f9ab85c7b985f9e35208e7a3bd2d6c21d3
Instruction Fuzzy Hash: 58D1137150C3918AC719CF39845066BFFE1ABA7304F1C89AEE4D59B383D6398909C7A6

Function 02489657 Relevance: 10.5, Strings: 8, Instructions: 466COMMON

Download Yara Rule

Strings

908#, xrefs: 02489694
$01;, xrefs: 0248968C
ne, xrefs: 024896B4
w!w4, xrefs: 0248969C
>7;<, xrefs: 024896A4
vm/;, xrefs: 02489684
]P`X, xrefs: 02489746
!+2j, xrefs: 02489674

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: !+2j$$01;$908#$>7;<$]P`X$ne$vm/;$w!w4
API String ID: 0-1816957969
Opcode ID: 2f581171202c42e70a312a3b38c524f9ab85c7b985f9e35208e7a3bd2d6c21d3
Instruction ID: fe1f45ce91e48767f3841f8f9b33358a376747db2868e903cb49c8ea0ed21db5
Opcode Fuzzy Hash: 2f581171202c42e70a312a3b38c524f9ab85c7b985f9e35208e7a3bd2d6c21d3
Instruction Fuzzy Hash: C6D1227151C7D18AC719DF38845067FBFE1AF92218F1C89AEE4D58B383D639850AC7A2

Function 00426FD4 Relevance: 9.3, Strings: 7, Instructions: 528COMMON

Download Yara Rule

Strings

fooab_\j, xrefs: 00427499
b_\j, xrefs: 0042742B
Vu6^, xrefs: 00427440
*+, xrefs: 00427783
twHp, xrefs: 00427447
|>uj, xrefs: 0042744E
Vu6^,GaSfooab_\j, xrefs: 004270FB

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: *+$Vu6^$Vu6^,GaSfooab_\j$b_\j$fooab_\j$twHp$|>uj
API String ID: 0-2039688736
Opcode ID: f4a2e7fd38d884fb034a0d3e8ace74e7d066327a33d758946f9801d5e0647866
Instruction ID: 7396e31f4ad740732c061ad3d16555dc77d21cfc48994c4ea944b2f41ed664f3
Opcode Fuzzy Hash: f4a2e7fd38d884fb034a0d3e8ace74e7d066327a33d758946f9801d5e0647866
Instruction Fuzzy Hash: FA0216B5E08261CFDB14CF64E8817AFB7B1EF46304F19446ED885AB342D7399902CBA5

Function 00432060 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 169COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004320A2
GetSystemMetrics.USER32 ref: 004320B2

Strings

;%C, xrefs: 004322EA
'/C, xrefs: 00432292
, xrefs: 0043219F

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: MetricsSystem
String ID: $'/C$;%C
API String ID: 4116985748-4198472220
Opcode ID: f4fefd3f3f432c54fb429ee2531fd8ae9419fdb06cc3e1da2e17a9bd189c8e85
Instruction ID: 0f73a1581adc0269d885ad3a2362c712946d20e258ec1fb036dc00bc5de3dcd6
Opcode Fuzzy Hash: f4fefd3f3f432c54fb429ee2531fd8ae9419fdb06cc3e1da2e17a9bd189c8e85
Instruction Fuzzy Hash: ABB16CB0409780CFE760DF15E58878FBBE0BB89308F51891ED5E89B251DBB95458CF86

Function 004098F0 Relevance: 7.9, Strings: 6, Instructions: 415COMMON

Download Yara Rule

Strings

AZ, xrefs: 00409C24
MW, xrefs: 00409C14
M\, xrefs: 00409C2C
u, xrefs: 00409AD8
de, xrefs: 00409D65
HR, xrefs: 00409C1C

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: AZ$HR$MW$M\$de$u
API String ID: 0-120532078
Opcode ID: 8771c1537253ace1c4ffb28fcf261afec6df3f075da17789c2a0a5ad85969621
Instruction ID: a6962564b024dc76ebe51450f4a540e682057812aa4ac59f43f148b8eada2d6d
Opcode Fuzzy Hash: 8771c1537253ace1c4ffb28fcf261afec6df3f075da17789c2a0a5ad85969621
Instruction Fuzzy Hash: 3CD134726087409BD718CF65C8516AFBBE2EFC5304F18892DE4D59B392CB38D909CB96

Function 02489B57 Relevance: 7.9, Strings: 6, Instructions: 415COMMON

Download Yara Rule

Strings

AZ, xrefs: 02489E8B
u, xrefs: 02489D3F
MW, xrefs: 02489E7B
M\, xrefs: 02489E93
HR, xrefs: 02489E83
de, xrefs: 02489FCC

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: AZ$HR$MW$M\$de$u
API String ID: 0-120532078
Opcode ID: d64f34769f08816fd6406b712aa56c165953e2b93eda5f414cdeffd65aee6856
Instruction ID: c77fdbba31b9243e71c7fbbb5023a02af6f9ae8f3049533373dc4dc3153c1f70
Opcode Fuzzy Hash: d64f34769f08816fd6406b712aa56c165953e2b93eda5f414cdeffd65aee6856
Instruction Fuzzy Hash: 94D134B2A087809BD718DF25C85166FBBE2EBC5304F18892DE5D68B390DB75D505CB82

Function 00428E72 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

MB, xrefs: 00428EE6
GI, xrefs: 00428EDF
At, xrefs: 004291D8
=t, xrefs: 00429191
CE, xrefs: 004290D6

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: =t$At$GI$MB$CE
API String ID: 0-1115079355
Opcode ID: bab740c4131d47c8ee67dc110200e8d71687f758c37eb31044e26f8606fb6957
Instruction ID: 7ba58a2278fd69101984f35cdfd73b68bd41d9aae2e487d378bac50c2911b04a
Opcode Fuzzy Hash: bab740c4131d47c8ee67dc110200e8d71687f758c37eb31044e26f8606fb6957
Instruction Fuzzy Hash: FDD157B5A00225CBDB248F65EC517ABB7B1FF86310F18816DD841AB795E7389D01CB98

Function 00415871 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0<RX, xrefs: 00415D01
RW!!, xrefs: 00415D0C
9,-P, xrefs: 00415D17
4?#8, xrefs: 00415CF6
)57L, xrefs: 00415CEB

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: )57L$0<RX$4?#8$9,-P$RW!!
API String ID: 0-1675874376
Opcode ID: d2f6307606761909721f2b0e13376f0ddd5a118a4948ccb4ef4b7e6e19ff4af2
Instruction ID: 944294a084fef500cf987cfcd5ab8545166bfb22ba062b216c7a22b9d9648bd9
Opcode Fuzzy Hash: d2f6307606761909721f2b0e13376f0ddd5a118a4948ccb4ef4b7e6e19ff4af2
Instruction Fuzzy Hash: 27D1D4B1608741CFC728CF28C8916AFBBE1BFD5314F148A2EE49A8B391D7349945CB46

Function 00429275 Relevance: 6.6, Strings: 5, Instructions: 318COMMON

Download Yara Rule

Strings

RXRW, xrefs: 00429475
@HD, xrefs: 0042947C
UHII1DZPZ_@HDRXRW, xrefs: 004294F5
ZPZ_, xrefs: 00429483
II1D, xrefs: 0042948A

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: @HD$II1D$RXRW$UHII1DZPZ_@HDRXRW$ZPZ_
API String ID: 0-2120590494
Opcode ID: fa148107934ec22cd5069d986451fe2c213bac1ebe7a5e30f9f9a72a9a980d54
Instruction ID: a261a53bb02daa8d55a9ee8f462f06156f841808213290fd0a3d9bb88be8b3d4
Opcode Fuzzy Hash: fa148107934ec22cd5069d986451fe2c213bac1ebe7a5e30f9f9a72a9a980d54
Instruction Fuzzy Hash: F8B15CB1E042168FCB24CF68D4416AFFBB2AF55314F54866ED46967382D738EC02CB95

Function 024A94DC Relevance: 6.6, Strings: 5, Instructions: 318COMMON

Download Yara Rule

Strings

ZPZ_, xrefs: 024A96EA
UHII1DZPZ_@HDRXRW, xrefs: 024A975C
RXRW, xrefs: 024A96DC
@HD, xrefs: 024A96E3
II1D, xrefs: 024A96F1

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: @HD$II1D$RXRW$UHII1DZPZ_@HDRXRW$ZPZ_
API String ID: 0-2120590494
Opcode ID: fa148107934ec22cd5069d986451fe2c213bac1ebe7a5e30f9f9a72a9a980d54
Instruction ID: 7333d2d9fc43d1bb9652834507edda8d07530f50607252f323b0dceeab89724c
Opcode Fuzzy Hash: fa148107934ec22cd5069d986451fe2c213bac1ebe7a5e30f9f9a72a9a980d54
Instruction Fuzzy Hash: 2DB138B1D04646CFCB24CF68C451AAFFBB2AF55314F18865EC46A6B782D335E902CB91

Function 00424600 Relevance: 6.5, Strings: 5, Instructions: 275COMMON

Download Yara Rule

Strings

B_B, xrefs: 00425F2C
Kv, xrefs: 00424652
BT, xrefs: 0042465A
BKB, xrefs: 00424B17
Z~, xrefs: 00424662

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: BKB$B_B$BT$Kv$Z~
API String ID: 0-2447844628
Opcode ID: f433a6b968e14b41975678b18e2b3823f0a0f863fabc920c900332fe3f992b6b
Instruction ID: 41d60e318bfc84058616c38a8017db35b3146dd0457df77541efcff1ef03d612
Opcode Fuzzy Hash: f433a6b968e14b41975678b18e2b3823f0a0f863fabc920c900332fe3f992b6b
Instruction Fuzzy Hash: 8491E2759083649FE720CF25E844B5FBBF4FBC6718F10882CE594AB281D7B499098F96

Function 024A90EA Relevance: 6.5, Strings: 5, Instructions: 254COMMON

Download Yara Rule

Strings

At, xrefs: 024A943F
MB, xrefs: 024A914D
GI, xrefs: 024A9146
=t, xrefs: 024A93F8
CE, xrefs: 024A933D

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: =t$At$GI$MB$CE
API String ID: 0-1115079355
Opcode ID: ca8fa90780371cd8046139a40f1612da85b68ec4ecd52cafbabc4950fa9ca481
Instruction ID: 55d67affcb69a3022f97c05c52dd23c976f1869f27e719af979aadb9c127eede
Opcode Fuzzy Hash: ca8fa90780371cd8046139a40f1612da85b68ec4ecd52cafbabc4950fa9ca481
Instruction Fuzzy Hash: 2C7146B2A003118BDB348F65C8A17ABB7B1FF5A310F18855DD8969F795E378A842CB50

Function 00417B7D Relevance: 6.2, Strings: 4, Instructions: 1201COMMON

Download Yara Rule

Strings

tv, xrefs: 004187B8
Uq"s, xrefs: 00418250
n;o=, xrefs: 00418658
l?E!, xrefs: 00418660

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: Uq"s$l?E!$n;o=$tv
API String ID: 0-3865798824
Opcode ID: 50ca1b3d3408d771f1502c34a88a9d5c9d82472f2b465bec5f12ada5f5cbe3e7
Instruction ID: 9a8c084a0e3a3d1f81143382cef168443ca77d8b15ee3b42c3fe5c03462fb779
Opcode Fuzzy Hash: 50ca1b3d3408d771f1502c34a88a9d5c9d82472f2b465bec5f12ada5f5cbe3e7
Instruction Fuzzy Hash: 9D8259726183518BC724CF29C8913ABB7E2FFC9714F198A2EE4C987391E7389941C746

Function 02488C47 Relevance: 6.1, APIs: 4, Instructions: 99threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02488C68
GetCurrentThreadId.KERNEL32 ref: 02488C70
GetForegroundWindow.USER32 ref: 02488CD8
ExitProcess.KERNEL32 ref: 02488D86

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: 7179407272bce60cdc6937b4fcffc8bd720db954a79fdd5ac3918b57226f4f70
Instruction ID: 51627236da4f5013f881dadd71fd5598b1a54a8906e5ef05b79e54d3911e2127
Opcode Fuzzy Hash: 7179407272bce60cdc6937b4fcffc8bd720db954a79fdd5ac3918b57226f4f70
Instruction Fuzzy Hash: 66316737E106181BCB187ABA8D8A36AB6C78FD5204F0E413E9D89EB395EA745C0946D0

Function 00423E10 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 546COMMON

Download Yara Rule

Strings

LN, xrefs: 0042401A
?B, xrefs: 004244F9, 0042450E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: ?B$LN
API String ID: 0-2731336514
Opcode ID: fad7d7507273740611aaf3b92a54d75ad8fcafff93fe75621bc3e8f0dee9342a
Instruction ID: 8e3b3c9c738891b592dad0537fa245508e192562bdb33556c0ffa6f3f50579c4
Opcode Fuzzy Hash: fad7d7507273740611aaf3b92a54d75ad8fcafff93fe75621bc3e8f0dee9342a
Instruction Fuzzy Hash: DB0210B4A083508FD314DF65E89262BBBF0EFC6714F54893DE5918B391DB788909CB4A

Function 00426320 Relevance: 5.4, Strings: 4, Instructions: 396COMMON

Download Yara Rule

Strings

-5, xrefs: 00426397
%%, xrefs: 0042638F
52, xrefs: 004263A7
<8, xrefs: 0042639F

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: %%$-5$52$<8
API String ID: 0-1128558009
Opcode ID: ae4783b05985fe3110e8bbb47fe277da4821a21c3b49e424d0b05737afd26c80
Instruction ID: cc2be77d66a48409f57b52d7d15eed03f5b94e1c424b31e3d279d8b1402fce11
Opcode Fuzzy Hash: ae4783b05985fe3110e8bbb47fe277da4821a21c3b49e424d0b05737afd26c80
Instruction Fuzzy Hash: 35D1F0B9609340DFE720DF24E88176FBBA1FBC6304F95982DE5854B261D738D941CB4A

Function 0040ABC0 Relevance: 5.4, Strings: 4, Instructions: 375COMMON

Download Yara Rule

Strings

WNO@, xrefs: 0040AD26
~, xrefs: 0040AE16
o, xrefs: 0040ABE1
JVL, xrefs: 0040AD1E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: WNO@$o$~$JVL
API String ID: 0-3715106896
Opcode ID: e4c6886d84cbd7ff7126c3a551a092b829708cf869d04b8c854f95d7c0ecc52b
Instruction ID: 61e93c9d638c4de2b64ce56eded293134a784d530760b2aaaacf2eee11c137b4
Opcode Fuzzy Hash: e4c6886d84cbd7ff7126c3a551a092b829708cf869d04b8c854f95d7c0ecc52b
Instruction Fuzzy Hash: C3C1077174C3514BC714DE2898512AFFBD3DBD2304F1C893EE8D56B385D679881A878A

Function 0248AE27 Relevance: 5.4, Strings: 4, Instructions: 375COMMON

Download Yara Rule

Strings

WNO@, xrefs: 0248AF8D
JVL, xrefs: 0248AF85
~, xrefs: 0248B07D
o, xrefs: 0248AE48

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: WNO@$o$~$JVL
API String ID: 0-3715106896
Opcode ID: e4c6886d84cbd7ff7126c3a551a092b829708cf869d04b8c854f95d7c0ecc52b
Instruction ID: 58c0a796ab51a250f8c46b687ea0cd29310be838c2f7ca676c98d5c46ec5047f
Opcode Fuzzy Hash: e4c6886d84cbd7ff7126c3a551a092b829708cf869d04b8c854f95d7c0ecc52b
Instruction Fuzzy Hash: 79C1057275C3504FD315EE6898512AFFBD3EBC2208F0C892EE8D59F396D675840A8786

Function 00418C0E Relevance: 4.1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

f, xrefs: 00418F28
{}, xrefs: 00418D85
fg, xrefs: 00418DA6

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: f$fg${}
API String ID: 0-1967710109
Opcode ID: 7e09a703c82657eaf1273003cdf2f2c5bcf1d20abddd389306156c1b28611b05
Instruction ID: aae12db23b3788d98dea9680feaecec02383ea2548b454809a45c8d67d8be104
Opcode Fuzzy Hash: 7e09a703c82657eaf1273003cdf2f2c5bcf1d20abddd389306156c1b28611b05
Instruction Fuzzy Hash: 22B177B11183808BD7358F25C8A13EBBBE1FF96304F19891DD4C98B355EB389941CB96

Function 00409120 Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

cb, xrefs: 0040929D
p, xrefs: 004092A4
w, xrefs: 0040925C

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: cb$p$w
API String ID: 0-2558045562
Opcode ID: 765a29f0211201a6742b5601e609cb9eae4b2bd6f3368b4168d7606e9857f8dd
Instruction ID: 9dc2c72e5ead76aa4ceaa205b55d68a5b16210bedcbe93a35f7211c0301ac567
Opcode Fuzzy Hash: 765a29f0211201a6742b5601e609cb9eae4b2bd6f3368b4168d7606e9857f8dd
Instruction Fuzzy Hash: 5971E86150C3828BD7198F2984A076BFFE19FE6305F18486EE8D65B3C2D6398909CB56

Function 02489387 Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

p, xrefs: 0248950B
cb, xrefs: 02489504
w, xrefs: 024894C3

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: cb$p$w
API String ID: 0-2558045562
Opcode ID: 765a29f0211201a6742b5601e609cb9eae4b2bd6f3368b4168d7606e9857f8dd
Instruction ID: fd562bd0c3f0652f82a41c01815e04143d68a1c7cbee2b724cdb9d976967e04c
Opcode Fuzzy Hash: 765a29f0211201a6742b5601e609cb9eae4b2bd6f3368b4168d7606e9857f8dd
Instruction Fuzzy Hash: 3471C2B151D3C28BD3198F2984A077FFFE19FE2209F28486EE4D64B742D739850A8756

Function 004248C0 Relevance: 4.0, Strings: 3, Instructions: 287COMMON

Download Yara Rule

Strings

B_B, xrefs: 00425F2C
BKB, xrefs: 00424B17
t2t4, xrefs: 004249D5

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: BKB$B_B$t2t4
API String ID: 0-1981236614
Opcode ID: 01d0d7253dddeb0e17093fb5ef144980c88eb91e06fab770b3381f6e2ae9b378
Instruction ID: 614ae0a42cfed9dc08d9bfdba0cffc7c05148e483d0e251fe3c94daf7921e395
Opcode Fuzzy Hash: 01d0d7253dddeb0e17093fb5ef144980c88eb91e06fab770b3381f6e2ae9b378
Instruction Fuzzy Hash: E0A1DDB4E143189FEB20DF68EC4679EBBB4FB85304F1041ADE558AB281E7745948CF92

Function 0249888D Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

l?E!, xrefs: 024988C7
tv, xrefs: 02498A1F
n;o=, xrefs: 024988BF

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: l?E!$n;o=$tv
API String ID: 0-1287815614
Opcode ID: 52eaeb7f128f6d50e641a27113b01a989792768135268d85aa3dfa5527528a24
Instruction ID: 870c32d8174ea0a53b0657769e93e560d93517e9dbafb820019b13af7d99b4f0
Opcode Fuzzy Hash: 52eaeb7f128f6d50e641a27113b01a989792768135268d85aa3dfa5527528a24
Instruction Fuzzy Hash: E571F1B16083528BC7188F28C4917ABBBB1FFD9708F288A1DE4C95B395E3788511C74A

Function 00426E30 Relevance: 3.9, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

*+, xrefs: 00427783
?0@y, xrefs: 00427688
st, xrefs: 0042767E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: *+$?0@y$st
API String ID: 0-3200688088
Opcode ID: 04aa4156c73ddabf55af22e28ecd7eebcfee022abee846016d8c987ee9497927
Instruction ID: 18b39e1dde662e51f3017477cc623d6fc9aee4735e45f5c29a444de813fcac7f
Opcode Fuzzy Hash: 04aa4156c73ddabf55af22e28ecd7eebcfee022abee846016d8c987ee9497927
Instruction Fuzzy Hash: 4161CDB460C3908BC7249F25D9127ABBBE2FFC2304F14986DD1C99B255EB388505CB5A

Function 0248092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0248095F
GetProcAddress., xrefs: 024809DC, 024809DF, 024809E4
l, xrefs: 02480966

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8cdf4942245fb07499dfcbfde2d2b629970e6a449e81b357afbaf2dd344a87d1
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 1A314AB6920609DFDB11DF99C880AAEBBF9FF48324F15504AD841A7310D771EA49CFA4

Function 0248BF5E Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

\ U", xrefs: 0248BFAE
#$, xrefs: 0248BFB6
[,R., xrefs: 0248BFC7

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: #$$[,R.$\ U"
API String ID: 0-750793529
Opcode ID: f1b01fd242b07a04e8f8bcacdafb8edcbc1296bc280c2f5b12c6c3b95147904b
Instruction ID: 515eab4a3b9c271e14c5281c4214c7ab2869931a4a4de33fe709c4e7be740924
Opcode Fuzzy Hash: f1b01fd242b07a04e8f8bcacdafb8edcbc1296bc280c2f5b12c6c3b95147904b
Instruction Fuzzy Hash: 8021F476B693409FC3188F24CC813AABBE39BC2214F29943DE695D7365D979C4068B05

Function 0040D60B Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 358COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040D617

Strings

^ZPh, xrefs: 0040D6F9

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: Uninitialize
String ID: ^ZPh
API String ID: 3861434553-2456795349
Opcode ID: 6d85464a4c27d714253e41de2a24cdd7121462f98545f0207570b49a4807941d
Instruction ID: 26858edf45d91ebc42d41cec0cb2fb653e020a8aad098dae5d7e15d33482b42b
Opcode Fuzzy Hash: 6d85464a4c27d714253e41de2a24cdd7121462f98545f0207570b49a4807941d
Instruction Fuzzy Hash: 47B11FB154C3C18FD335CF69C8907ABBBE1ABD2300F09896DC4D9AB241DA794809CB96

Function 0248D872 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 358COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0248D87E

Strings

^ZPh, xrefs: 0248D960

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: ^ZPh
API String ID: 3861434553-2456795349
Opcode ID: 6d85464a4c27d714253e41de2a24cdd7121462f98545f0207570b49a4807941d
Instruction ID: 7bc19b86df749892c1981886c5a401b69e41e6f09d52425285b7f78b3b467625
Opcode Fuzzy Hash: 6d85464a4c27d714253e41de2a24cdd7121462f98545f0207570b49a4807941d
Instruction Fuzzy Hash: 16B10DB195D3C18FD339CF29C8907ABBBE1AB92300F08896DC4DA9B250DB754506CB92

Function 0040DAA4 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 331COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DAB0

Strings

^ZPh, xrefs: 0040DB89

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: Uninitialize
String ID: ^ZPh
API String ID: 3861434553-2456795349
Opcode ID: 7715acc31612e1ddc6cd5daed71277af3f9891a9f0007f18dc148ea1d162bfea
Instruction ID: 89d598a289bbd84bac73ea7606ff7ea02523b180c65328e9f941809cba950f54
Opcode Fuzzy Hash: 7715acc31612e1ddc6cd5daed71277af3f9891a9f0007f18dc148ea1d162bfea
Instruction Fuzzy Hash: B4A120B154C3D08BD335CF6988907EBBBE1AF93300F09896DC4D9AB391D6794809DB96

Function 00404C10 Relevance: 3.3, Strings: 2, Instructions: 805COMMON

Download Yara Rule

Strings

0, xrefs: 00405547
8, xrefs: 0040553F

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: bcaf76292425f822605e7373c8d9abfae66734edaeb691de1f4859e088257416
Instruction ID: 25bae1e47d7d56949933a0e78302b03e45d6945f536d58c80bbc069f41dcd89c
Opcode Fuzzy Hash: bcaf76292425f822605e7373c8d9abfae66734edaeb691de1f4859e088257416
Instruction Fuzzy Hash: D77224716083419FD714CF28C894B6BBBE1EF88314F04892EF9999B391D379D948CB96

Function 02484E77 Relevance: 3.3, Strings: 2, Instructions: 805COMMON

Download Yara Rule

Strings

0, xrefs: 024857AE
8, xrefs: 024857A6

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: bcaf76292425f822605e7373c8d9abfae66734edaeb691de1f4859e088257416
Instruction ID: a2bf862b3d8d6915df70ec46c62e3669dfebe5b4839acf85320454f1c3c4b5cc
Opcode Fuzzy Hash: bcaf76292425f822605e7373c8d9abfae66734edaeb691de1f4859e088257416
Instruction Fuzzy Hash: 9E7244716183409FD725DF18C880BAFBBE1AF88314F45892EF9998B391D375D948CB92

Function 0041A0A0 Relevance: 3.1, Strings: 1, Instructions: 1887COMMON

Download Yara Rule

Strings

I,~M, xrefs: 0041B412

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID: I,~M
API String ID: 2994545307-1339956858
Opcode ID: 1b522c6660a5df90568f6d421ba254ca16045a3f1e2a9cb51ba3f592770652f7
Instruction ID: bdfe155b88a39e1e6441da59ec174187d495de05e97d6a8753ecb0654d06f7f9
Opcode Fuzzy Hash: 1b522c6660a5df90568f6d421ba254ca16045a3f1e2a9cb51ba3f592770652f7
Instruction Fuzzy Hash: 24C29976A883504BC724CFA4CC803ABB7D2EBC9314F19863ED99587391E7B89D4587C6

Function 0249A307 Relevance: 3.1, Strings: 1, Instructions: 1887COMMON

Download Yara Rule

Strings

I,~M, xrefs: 0249B679

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: I,~M
API String ID: 0-1339956858
Opcode ID: e0aca29f99186c85229ac918451a06856e8cc4352d518a764de5a7a6db091ea7
Instruction ID: 8ab68f9d433460516826c4fd5baed0d6832aed41d0395700d65d99b9cf8d22cd
Opcode Fuzzy Hash: e0aca29f99186c85229ac918451a06856e8cc4352d518a764de5a7a6db091ea7
Instruction Fuzzy Hash: 05C29976A483504BCB24CFA9CCC07ABBBD2EBC5318F19863ED9D587390DBB499058781

Function 0041CF70 Relevance: 3.1, Strings: 2, Instructions: 596COMMON

Download Yara Rule

Strings

!", xrefs: 0041D373
rI, xrefs: 0041D12F

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: !"$rI
API String ID: 0-844706243
Opcode ID: 0f4dc5e425522722d8aec5e92a7d28b9ce0f0d2dfe82a70a307180c5e10c13b8
Instruction ID: 59239d79965ae17ad11677737b57ea6d04b107aa7ec12c9d27328e48433055a1
Opcode Fuzzy Hash: 0f4dc5e425522722d8aec5e92a7d28b9ce0f0d2dfe82a70a307180c5e10c13b8
Instruction Fuzzy Hash: 4B02EDB1A083108BC704DF69C8916ABFBF2EF95314F04892DE8D58B352E739D945CB96

Function 0042C856 Relevance: 2.9, Strings: 2, Instructions: 375COMMON

Download Yara Rule

Strings

.g~_, xrefs: 0042CDF4
=7>4, xrefs: 0042CDED

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: .g~_$=7>4
API String ID: 0-1087258636
Opcode ID: 810adcc03c9076cc7768c1319066dfe941a69f1b4151d3db999518d95fe0f983
Instruction ID: 426a6555080ef9445f2e063ec60bb6acfd642551908969b8c14281614fb6566d
Opcode Fuzzy Hash: 810adcc03c9076cc7768c1319066dfe941a69f1b4151d3db999518d95fe0f983
Instruction Fuzzy Hash: 73B1B0746047918FD719CF3AD0A0766BFE1AF57304F6885AEC4DA8B392C639D806CB54

Function 024ACABD Relevance: 2.9, Strings: 2, Instructions: 375COMMON

Download Yara Rule

Strings

=7>4, xrefs: 024AD054
.g~_, xrefs: 024AD05B

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: .g~_$=7>4
API String ID: 0-1087258636
Opcode ID: 0ee4a42d4746e8c695e657f20942a5ca1c5fef09a2babe658cd80fe75d08c8a3
Instruction ID: c00fed51106cc8f580fb00192193446a0bb3dbce80d1d71612561ae2fed39324
Opcode Fuzzy Hash: 0ee4a42d4746e8c695e657f20942a5ca1c5fef09a2babe658cd80fe75d08c8a3
Instruction Fuzzy Hash: D0B1A1706086828FD719CF39C0A0762BFE1AF67304F2885AED4DA8B792C7359806CB54

Function 0041D690 Relevance: 2.9, Strings: 2, Instructions: 367COMMON

Download Yara Rule

Strings

'^_P, xrefs: 0041DA3A, 0041DA47
de, xrefs: 0041D916

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: '^_P$de
API String ID: 0-3551605531
Opcode ID: 011ccc9b8a72fff37c233147ae8e80253a213ba1f7343ab2b4b8b360e21f74d2
Instruction ID: fbee645a751c7581883523adc8075052a5fcce7af7ffc2945cf5a62ecf3d6b57
Opcode Fuzzy Hash: 011ccc9b8a72fff37c233147ae8e80253a213ba1f7343ab2b4b8b360e21f74d2
Instruction Fuzzy Hash: B691E1B19183118BC724DF24C8526ABB3F0FF92354F18995EE4D98B391E738D944C79A

Function 0249D8F7 Relevance: 2.9, Strings: 2, Instructions: 367COMMON

Download Yara Rule

Strings

'^_P, xrefs: 0249DCA1, 0249DCAE
de, xrefs: 0249DB7D

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: '^_P$de
API String ID: 0-3551605531
Opcode ID: 792279698758c2ffb64c9fee2c79c8ad9636a83cdf72c6d7e5ede998132a912c
Instruction ID: dd8a411cbd1e4fadf9ebd216f508f09f7600b06a0d045b615e39f160dcf3c636
Opcode Fuzzy Hash: 792279698758c2ffb64c9fee2c79c8ad9636a83cdf72c6d7e5ede998132a912c
Instruction Fuzzy Hash: 3191CEB5908341CBCB24EF24C852A6BB7F0FF86318F58995EE8959B390E734D904C756

Function 004150B0 Relevance: 2.9, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

ca, xrefs: 0041533B
5TA, xrefs: 0041542F

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: 5TA$ca
API String ID: 0-3467899122
Opcode ID: 2932462067568c84c624c23d9a51cd7536d3edb1d0543bc9ec2ffbeeca233880
Instruction ID: 6bdb7ea39ea8358c717945c8ccffd2e000072dcdef5c738ea096326466136862
Opcode Fuzzy Hash: 2932462067568c84c624c23d9a51cd7536d3edb1d0543bc9ec2ffbeeca233880
Instruction Fuzzy Hash: EAB12676905700CBD3209F25CC817EBB7A2FFC5714F09862EE8888B391E7789945CB56

Function 0043E8E0 Relevance: 2.8, Strings: 2, Instructions: 337COMMON

Download Yara Rule

Strings

], xrefs: 0043E994
], xrefs: 0043E957

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID: ]$]
API String ID: 2994545307-2815796728
Opcode ID: f431b808b13bd389e4eb2fb877a71b32bc5cb0b39fabed9961ae4fa1ed968b1e
Instruction ID: 64d1f92de71d6b1c7c4b11b4d6aaa6aff454503c9ce1f8216010a09425cc65bb
Opcode Fuzzy Hash: f431b808b13bd389e4eb2fb877a71b32bc5cb0b39fabed9961ae4fa1ed968b1e
Instruction Fuzzy Hash: 27A147366093108BD328DF15C89167BB7A2EBD9310F18993EE9D657391CA39AC05CB86

Function 024BEB47 Relevance: 2.8, Strings: 2, Instructions: 337COMMON

Download Yara Rule

Strings

], xrefs: 024BEBFB
], xrefs: 024BEBBE

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: ]$]
API String ID: 0-2815796728
Opcode ID: 45a586ed15f6806d5bb60f7a938cd24a0f88f5fd92f76d67d15c4410da70c3b8
Instruction ID: 7a6572cf2ec9611009b84669932000ceb5c46c4922b47f9323b4a9e9afa0aae2
Opcode Fuzzy Hash: 45a586ed15f6806d5bb60f7a938cd24a0f88f5fd92f76d67d15c4410da70c3b8
Instruction Fuzzy Hash: 5EA135367083108BD32ACF14C8916EBB7A2EFD5314F58893ED99657391CB35AC46CB91

Function 0042CBC2 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

.g~_, xrefs: 0042CDF4
=7>4, xrefs: 0042CDED

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: .g~_$=7>4
API String ID: 0-1087258636
Opcode ID: eef3c031c616ececf3b85df479716983cec1cbe2fa7c90ef5724d57e33dac313
Instruction ID: 02d0efe261b8549ff949b6c2b077e4225431b3a6a2693acd9c4e448e19cbd7f2
Opcode Fuzzy Hash: eef3c031c616ececf3b85df479716983cec1cbe2fa7c90ef5724d57e33dac313
Instruction Fuzzy Hash: 79A1D1746046918FD719CF39D0A0766BFE1AF57304F6981AEC49A8B352CA39D806CB58

Function 024ACE29 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

=7>4, xrefs: 024AD054
.g~_, xrefs: 024AD05B

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: .g~_$=7>4
API String ID: 0-1087258636
Opcode ID: 4f7c81578270dfb32f384486994a9efb397590a112fa787ad23bf454c89eedae
Instruction ID: 7c13595ab6c4c655250834ca6a3d603b3683d50f343ca876b6ce9e5d8aa5d23c
Opcode Fuzzy Hash: 4f7c81578270dfb32f384486994a9efb397590a112fa787ad23bf454c89eedae
Instruction Fuzzy Hash: 0DA1B3706097818FD719CF39C4A0766BFE1AF66304F28C1AED49A8B792CB35D806CB54

Function 004042E0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 0040435B
IEND, xrefs: 004046D1

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 4b11f0427a8d39e7f4ee21428c6dcedd1539bd0bf162f4913477910bccb130ad
Instruction ID: 0153b4d3b548ecd6a6b4d3c8a2036607e78b04b12dcbea6cbb27936a2d619856
Opcode Fuzzy Hash: 4b11f0427a8d39e7f4ee21428c6dcedd1539bd0bf162f4913477910bccb130ad
Instruction Fuzzy Hash: 77D1BFB16083449FD710CF14D845B5BBBE4ABD4308F14492EFA99AB3C2D779D908CB9A

Function 02484547 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 024845C2
IEND, xrefs: 02484938

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: aa74a17f4dbac3ab2a9e15463e0f52df8341742832f961fabdff76c876c732c3
Instruction ID: ba0dc62274dc78ba9a48a9198eab672fb8cf2d654685bc536e1f15f685e7be72
Opcode Fuzzy Hash: aa74a17f4dbac3ab2a9e15463e0f52df8341742832f961fabdff76c876c732c3
Instruction Fuzzy Hash: 50D1AFB1918345AFD720EF18C840B5FBBE5AF94304F14492EF9999B381D375E948CB92

Function 0042BF1D Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

^P, xrefs: 0042C213
mnTP, xrefs: 0042C0EC

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: mnTP$^P
API String ID: 0-4261586994
Opcode ID: 6c13e93dd1faa14a77f8d28027c5c854ad0f77d2dfb4fc15d311b2be2602a57b
Instruction ID: 1dd869945a53d02bdba6fe0eac20b34157f8238e68884e744b5e0783b284d15a
Opcode Fuzzy Hash: 6c13e93dd1faa14a77f8d28027c5c854ad0f77d2dfb4fc15d311b2be2602a57b
Instruction Fuzzy Hash: 6081D171205B418FD725CF39C891766BBE2BF9A304B18859ED4D68B793C738E806CB54

Function 024AC184 Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

mnTP, xrefs: 024AC353
^P, xrefs: 024AC47A

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: mnTP$^P
API String ID: 0-4261586994
Opcode ID: cd957a9dd950e5614f0e0905ac1f94fde1f7f98911dfae7950a75de1a88df5bd
Instruction ID: 513f159747ba6f709fdce03368a10489e5ffd1ed653624e4eda348b5528cc182
Opcode Fuzzy Hash: cd957a9dd950e5614f0e0905ac1f94fde1f7f98911dfae7950a75de1a88df5bd
Instruction Fuzzy Hash: 7F81D5716057418FD765CF39C890B62BBE2FF9A214B18C59EC4D68B792C739E806CB50

Function 0042BF9C Relevance: 2.8, Strings: 2, Instructions: 283COMMON

Download Yara Rule

Strings

^P, xrefs: 0042C213
mnTP, xrefs: 0042C0EC

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: mnTP$^P
API String ID: 0-4261586994
Opcode ID: 43aa26eb8403dcfcdc5ce52f076909275dba46297b80da5abd18985221456ea4
Instruction ID: 7def9da14c2a93856457756a282834e12fc7cccaeaf1489d56583180b4928342
Opcode Fuzzy Hash: 43aa26eb8403dcfcdc5ce52f076909275dba46297b80da5abd18985221456ea4
Instruction Fuzzy Hash: 8281E071605B418FD729CF39C890723FBE2AF9A304B19C59ED4D68B792C678E806CB54

Function 024AC203 Relevance: 2.8, Strings: 2, Instructions: 283COMMON

Download Yara Rule

Strings

mnTP, xrefs: 024AC353
^P, xrefs: 024AC47A

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: mnTP$^P
API String ID: 0-4261586994
Opcode ID: 91b8667385c6759153816db195a2fb85aa7cf6089114535c4df86d3a0a4be1f5
Instruction ID: c2670be34f0f9f7658fd2455dbfad68f2aaa9607e68c4135f25c297cb53e865b
Opcode Fuzzy Hash: 91b8667385c6759153816db195a2fb85aa7cf6089114535c4df86d3a0a4be1f5
Instruction Fuzzy Hash: 3881E3316057818FD769CF39C890722FBE2AF9A204B19C59EC4D68F792C774E806CB10

Function 00416152 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

IJ, xrefs: 0041621C
gfff, xrefs: 004162BA

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: IJ$gfff
API String ID: 0-2879405950
Opcode ID: fbbe9a8b4e0ab8c8d22acebb119e797877ea6da011273103e6879d127ed93e21
Instruction ID: 13fbb475582efd389b0e1fe4cbd9cf5b7c8b56cff3322eac5d7f1d01ec1997cb
Opcode Fuzzy Hash: fbbe9a8b4e0ab8c8d22acebb119e797877ea6da011273103e6879d127ed93e21
Instruction Fuzzy Hash: 35711672B542114BC324CF28CC427AB76D6ABC9314F09863ED889DB396D778D94687C9

Function 024963B9 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

IJ, xrefs: 02496483
gfff, xrefs: 02496521

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: IJ$gfff
API String ID: 0-2879405950
Opcode ID: 68fcbacf441555df0acc5db73a6eed30f6b393c545d6c8028aa9aba136cadc43
Instruction ID: 4b97a7c31cf96ee5cca28194c5e01ebad4359846342bd2966b410849d327d105
Opcode Fuzzy Hash: 68fcbacf441555df0acc5db73a6eed30f6b393c545d6c8028aa9aba136cadc43
Instruction Fuzzy Hash: 5D7156B2A042514BC724CF29CC817AB7AD6EBC9314F0AC23ED989CB395D778D906C781

Function 0249D275 Relevance: 2.7, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

rI, xrefs: 0249D396
[\, xrefs: 0249D448

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: [\$rI
API String ID: 0-3327430303
Opcode ID: 020db8cc1935b647c78ff23a333c99a805be3ad55de34f09ac5bc5c7ccb579f6
Instruction ID: 2400f6616f93b24e890f19c9984c32f9533f56b6d82bd5e3da2e62b12bda07e3
Opcode Fuzzy Hash: 020db8cc1935b647c78ff23a333c99a805be3ad55de34f09ac5bc5c7ccb579f6
Instruction Fuzzy Hash: A96196B650C3459BD704EF66C811A5FFBF2ABD1704F04886CE0D54B252E63AC6098B96

Function 00415649 Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

9%=:, xrefs: 004157ED
1-52, xrefs: 00415803

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: 1-52$9%=:
API String ID: 0-635023363
Opcode ID: 219378ee112be76059c04a61141c30ecfc010fc20d0bea7234a7989c9b57fe51
Instruction ID: 80949dadd14b750abfbaaa2f3e5796204c6587049f77796d9417155e8e780057
Opcode Fuzzy Hash: 219378ee112be76059c04a61141c30ecfc010fc20d0bea7234a7989c9b57fe51
Instruction Fuzzy Hash: C05137B9A09341CBE7309F24EC86BDFB7D1FB85308F08493DE59887292D7389505875A

Function 024A7097 Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

st, xrefs: 024A78E5
?0@y, xrefs: 024A78EF

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: ?0@y$st
API String ID: 0-3855076123
Opcode ID: 55919d7029db8820b8244f2a50727a2827b3f0d310494412798a7cb9c58cfd04
Instruction ID: 9944057cc64de565f6172bb78bf8d4487127b5de417d88d2b165d130e251bdbc
Opcode Fuzzy Hash: 55919d7029db8820b8244f2a50727a2827b3f0d310494412798a7cb9c58cfd04
Instruction Fuzzy Hash: 2841E0B5A083808BC728DF25C9127AFBEE6FBD2304F14986DD0C99B355DA358505CB5B

Function 00416DF8 Relevance: 2.4, Strings: 1, Instructions: 1168COMMON

Download Yara Rule

Strings

y, xrefs: 00417917

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID: y
API String ID: 2994545307-4225443349
Opcode ID: cb646c2d9bb4abc8463feec7f5576f49044a76f53d787a818185c3285f34a320
Instruction ID: 3f94822c54d2a309a0bae535589520cefad76859f6647abd138ebd4f61dd5f14
Opcode Fuzzy Hash: cb646c2d9bb4abc8463feec7f5576f49044a76f53d787a818185c3285f34a320
Instruction Fuzzy Hash: 89623676A483408BC720CF69CC817ABB7E2EBCA314F29463ED5D9C7391DB7898468745

Function 00429940 Relevance: 2.1, Strings: 1, Instructions: 827COMMON

Download Yara Rule

Strings

#&2*, xrefs: 0042A151

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: #&2*
API String ID: 0-2580052025
Opcode ID: c2a7b0eb17110cacac60e11154bd9599ed1598a1f4eff3edd4eefe9e947b3568
Instruction ID: 3c1f283b8b7ba0daa85251326d452beed871793d90e54090f4f80c323f89be1d
Opcode Fuzzy Hash: c2a7b0eb17110cacac60e11154bd9599ed1598a1f4eff3edd4eefe9e947b3568
Instruction Fuzzy Hash: 534221757083908BD7148F29E88176BB7E1EBCA304F588A3DE89587392D738DC05CB5A

Function 0043A300 Relevance: 2.0, Strings: 1, Instructions: 736COMMON

Download Yara Rule

Strings

f, xrefs: 0043A575

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: e3f363c81b7ed069354251b2873ec14f596779681f90d8d54b92eb0d521d9666
Instruction ID: c5895f5a1225713e4be3f824d0c184b824eed9ad20f275d0302f61e4634b7589
Opcode Fuzzy Hash: e3f363c81b7ed069354251b2873ec14f596779681f90d8d54b92eb0d521d9666
Instruction Fuzzy Hash: BF2216316483118FD314CF29C881B2BB7E2ABC9314F299A2EE4D587392D774DC168B97

Function 024BA567 Relevance: 2.0, Strings: 1, Instructions: 736COMMON

Download Yara Rule

Strings

f, xrefs: 024BA7DC

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 145d0c87cd4269aff8ee87b72926dafd3ef8ec72c040e2777a76e9e38e5593b4
Instruction ID: f9221e5b71d2663cf589dfcd77d1f73d3e5cf20fb9e53733cf792d07ac1a2749
Opcode Fuzzy Hash: 145d0c87cd4269aff8ee87b72926dafd3ef8ec72c040e2777a76e9e38e5593b4
Instruction Fuzzy Hash: 262227716083518FD715CF29C880B6FB7E2AFC9718F188A2EE49587391D771D806CBA2

Function 0041498C Relevance: 1.9, Strings: 1, Instructions: 660COMMON

Download Yara Rule

Strings

gMA, xrefs: 00414D52

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: gMA
API String ID: 0-4141171961
Opcode ID: 449084fe3ced892f0f85b3d21849c1c56ac3c493321cbd3db2149010e11fbfd9
Instruction ID: 7ed22c41b2b902de01ba3d89eb0afe22531aec8a725bbd8400c1d6405f1c41ed
Opcode Fuzzy Hash: 449084fe3ced892f0f85b3d21849c1c56ac3c493321cbd3db2149010e11fbfd9
Instruction Fuzzy Hash: B3026979208304DFD714AF29ED02BAB77A1EBCA314F28453DF58183392E7799D418B89

Function 0042C294 Relevance: 1.8, Strings: 1, Instructions: 581COMMON

Download Yara Rule

Strings

>17:, xrefs: 0042C493

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: >17:
API String ID: 0-1108518575
Opcode ID: ec9c124b06aa3a57106320d89c255d93f7a80c79bcba902fdc280854a85d9ea5
Instruction ID: b4fee659546a649315a5339d2cb94c5415abeff9094927cede1f35a314837d9c
Opcode Fuzzy Hash: ec9c124b06aa3a57106320d89c255d93f7a80c79bcba902fdc280854a85d9ea5
Instruction Fuzzy Hash: FCF157312047918FDB158F39D4D0766BBE2AFA7300F58859EC4D68F396C739A806CB69

Function 024AC4FB Relevance: 1.8, Strings: 1, Instructions: 581COMMON

Download Yara Rule

Strings

>17:, xrefs: 024AC6FA

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: >17:
API String ID: 0-1108518575
Opcode ID: 46b8cd04c4b9c286579a25c59f194b469d7899db2c45aa54d1851902b917222d
Instruction ID: fa2b0e30961045fca81803184d2dc5c4cc39141e9b8ab12cf1ffef95a218f365
Opcode Fuzzy Hash: 46b8cd04c4b9c286579a25c59f194b469d7899db2c45aa54d1851902b917222d
Instruction Fuzzy Hash: 54F1F4315057818FDB568F39C8E0762BFA2AFA7204F18859EC4D68F796C739A406CB61

Function 0042332F Relevance: 1.8, Strings: 1, Instructions: 554COMMON

Download Yara Rule

Strings

27B, xrefs: 00423716

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: 27B
API String ID: 0-3497748580
Opcode ID: 1c226918ee4311e7420df827624ae133e83fc077cde95bb403a37c6cad2ac75e
Instruction ID: 0633142c69849dd16e020829722f31e231108d8f5aab11b28a041870a773e858
Opcode Fuzzy Hash: 1c226918ee4311e7420df827624ae133e83fc077cde95bb403a37c6cad2ac75e
Instruction Fuzzy Hash: 70F10176608311DFC714CF28EC8166A73E1EB8A716F598A7DE89197391D738AA01CB84

Function 0042576B Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

kXB, xrefs: 00425786

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: kXB
API String ID: 0-1366493747
Opcode ID: 837a806f469f48c4fc5240d0766a935de1c4d864888b80e6955c0cc0977a0a25
Instruction ID: e2474d337541c831b06913755704da77413ba70772d64fce1efa7e9584cda676
Opcode Fuzzy Hash: 837a806f469f48c4fc5240d0766a935de1c4d864888b80e6955c0cc0977a0a25
Instruction Fuzzy Hash: 2EF11375A00616CBCB24CF64D4916BFB3B2FF89350FA9816EC482AB364D7389D42CB54

Function 024968B9 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

GEW, xrefs: 024968DC

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: GEW
API String ID: 0-646702372
Opcode ID: 809eb200281ac54a43ffbf5e61fd3ac9f317471f6af0386304317eb10c8c3727
Instruction ID: d93b2efcd7bda6d733fb5e8fad63e2717fb0f2418ed75c1f1bfd44e554231021
Opcode Fuzzy Hash: 809eb200281ac54a43ffbf5e61fd3ac9f317471f6af0386304317eb10c8c3727
Instruction Fuzzy Hash: 89F167B01083908AE7348F24C4617ABBBE1FF92308F159A5DD5CA5F391E3BA8546CB56

Function 00438089 Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

xy, xrefs: 0043830E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: xy
API String ID: 0-2414225561
Opcode ID: e13f55cb485dc48fdea8ee4030eba812e565fd8427798f1b0b0708b68adf4a6b
Instruction ID: fc34ca27b4206ed0a510f0337f4e7b76a65a61094a81d3279fb893246519fafe
Opcode Fuzzy Hash: e13f55cb485dc48fdea8ee4030eba812e565fd8427798f1b0b0708b68adf4a6b
Instruction Fuzzy Hash: 42D1F53A618351CBCB189F24E85126BB3F1FF4A741F4BC87DD8424B2A4E73A8958C746

Function 00422C50 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

MN, xrefs: 00422C7C

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: MN
API String ID: 0-2506772256
Opcode ID: a7a0c78249176ad8a43002c3024e644cbf53ba1f219a288f66c21a05a7bb338e
Instruction ID: a2df185f56ea5ac14bd94646a1b3db0f35a61754290066c9a419cf59740ba31b
Opcode Fuzzy Hash: a7a0c78249176ad8a43002c3024e644cbf53ba1f219a288f66c21a05a7bb338e
Instruction Fuzzy Hash: 2CB14871A043206BD724DF24D95267BB3F1EF81324F4A852EF88597382E378D905C79A

Function 024A2EB7 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

MN, xrefs: 024A2EE3

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: MN
API String ID: 0-2506772256
Opcode ID: 943bba55a70740fe07d49aee82d239e7e3c42db4cd7fb5b1fcdcc400fc19f6e1
Instruction ID: 3d4a69cc42072b1edd5cd0852404186017e51fc51f097adaf1c79356f07df30f
Opcode Fuzzy Hash: 943bba55a70740fe07d49aee82d239e7e3c42db4cd7fb5b1fcdcc400fc19f6e1
Instruction Fuzzy Hash: 16B14A71A043009BD725DF29C8A2A7BB7F1EF91314F09896EE89687381F335E905C792

Function 0042ACB0 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

", xrefs: 0042AF98

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 54a9fcce638e25bfa637b080298c89dd30ab75eb8f4464f2cd9cf19577032b45
Instruction ID: 25e1e62e830ec0bd94d26b646812ac619c3b74d8d5c24a63f665a15afad4abb1
Opcode Fuzzy Hash: 54a9fcce638e25bfa637b080298c89dd30ab75eb8f4464f2cd9cf19577032b45
Instruction Fuzzy Hash: 0CC133B2B083205FD7158E25E45076BB7E6AF84350F49892EE8958B382E73CDC5587CA

Function 024AAF17 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

", xrefs: 024AB1FF

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 0406b252fb5e2e052edb644e1e846d66c7086a0261585dc79e9f2cc4c109518e
Instruction ID: 1f72d340675afd8d9c5cefa73a9ba967b43e39e73fac33b1569e90026a672191
Opcode Fuzzy Hash: 0406b252fb5e2e052edb644e1e846d66c7086a0261585dc79e9f2cc4c109518e
Instruction Fuzzy Hash: CFC147B2A083545BD725CE25C460B6FB7E6EFB5358F08892FE8968B381D774D844CB81

Function 00415D8A Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

@FGX, xrefs: 00415E33

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: @FGX
API String ID: 0-349140567
Opcode ID: b544ed2384a2f917b8c04167ded27b28201152752532507245198afb32424d91
Instruction ID: e0e2b40c9fa1c3d72baba6ed1b97abea9726b9189fb08b3537722b91034629ba
Opcode Fuzzy Hash: b544ed2384a2f917b8c04167ded27b28201152752532507245198afb32424d91
Instruction Fuzzy Hash: D7C126B6A087408FD714CF29D8916EBB7D3ABC9314F19893EE0D9C7391DB3899468706

Function 0042786E Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

iyB, xrefs: 00427A25, 00427AED

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: iyB
API String ID: 0-3731409854
Opcode ID: 82a2cd7b577796241e1ca1d68df4e8c19bdbff2167882175c946fb62054906ac
Instruction ID: 5eb112381df64a5e4ca9ad0d44e225ecdcd5d1f1bb51caf5e21dfac7720f3d1f
Opcode Fuzzy Hash: 82a2cd7b577796241e1ca1d68df4e8c19bdbff2167882175c946fb62054906ac
Instruction Fuzzy Hash: 94C13675A0C3A1DFD7148F28EC4172E77A2BF8A324F59867DE49597291C338AD01CB89

Function 00428A93 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

jkl, xrefs: 00428B64

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: jkl
API String ID: 0-2886914207
Opcode ID: 2a9478bbf09f617318cc5a399560ab6bd20e0b7b52417e9a77f7643182a71df8
Instruction ID: 6a2f4df5ba6bf608835fa52a795e9295fcc36086fc6b18e99f3f7a21e25fb5c9
Opcode Fuzzy Hash: 2a9478bbf09f617318cc5a399560ab6bd20e0b7b52417e9a77f7643182a71df8
Instruction Fuzzy Hash: F7B121B5A10225CFCB15CF28E81139EB7B1FF85314F15C26ED465AB7A1EB34A852CB84

Function 0249D54A Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

!", xrefs: 0249D5DA

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: !"
API String ID: 0-405161720
Opcode ID: d2a51c5b92ea9fdc1ca9e4f1cf50c2b9e363c661226de77798c754062468324d
Instruction ID: d55323f0fe92b7d2d80007cf6815cd8a3e1c741f5cb225432dec2fa6406da6e2
Opcode Fuzzy Hash: d2a51c5b92ea9fdc1ca9e4f1cf50c2b9e363c661226de77798c754062468324d
Instruction Fuzzy Hash: 8881EF75A083118BCB14EF68C8917ABBBF1EF85324F04892DE8D58B3A1E779D905C752

Function 0042D180 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

6% , xrefs: 0042D349

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: f50ef03090cfa4eec7d2a47babf97f820abafbd7aca9b2b3e1a7174087a90865
Instruction ID: ae5b86585769adcec2c0648a65074736a64153604f355b1e8decb3ed54b0c552
Opcode Fuzzy Hash: f50ef03090cfa4eec7d2a47babf97f820abafbd7aca9b2b3e1a7174087a90865
Instruction Fuzzy Hash: 73A14971A047528BE315CF2AD890322FBA2BF87315F68C19DC4E68B356CA39E447C759

Function 024AD3E7 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

6% , xrefs: 024AD5B0

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: f50ef03090cfa4eec7d2a47babf97f820abafbd7aca9b2b3e1a7174087a90865
Instruction ID: 2062b008133f2ad83c5cea7e45f43abdabe8b0fc4fc1a1ecdd1dec4d2900b42c
Opcode Fuzzy Hash: f50ef03090cfa4eec7d2a47babf97f820abafbd7aca9b2b3e1a7174087a90865
Instruction Fuzzy Hash: 2DA15C75904782CBE315CF2AC4A0762FBA3AF96214F28C59DC0E68B796CB36E443C750

Function 024A88C2 Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000), ref: 024A896D

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: f1ce64e7a86c89c2947ff0882281fc0832879d245c02af3123d1f08526ff5d61
Instruction ID: 01c15a229dfaf02787f347286abc3b796a83055e39bc175abe9f14d16e106be3
Opcode Fuzzy Hash: f1ce64e7a86c89c2947ff0882281fc0832879d245c02af3123d1f08526ff5d61
Instruction Fuzzy Hash: 3311E1B5688380DBD3359F24E40275BBAB5FF82304F105D2DE1DA9B242CA748010CB67

Function 0042D214 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

6% , xrefs: 0042D349

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: a57b15cb396e978207a6a081702f83d7da98b756c268d8ca131259ddfcff5628
Instruction ID: cc15d74f708a20da8e8cb6c19a3ede4e76c58c953d780a28caf930209dbed6e1
Opcode Fuzzy Hash: a57b15cb396e978207a6a081702f83d7da98b756c268d8ca131259ddfcff5628
Instruction Fuzzy Hash: 5AA16B71A047918BE315CF2AD890322FBA2BF87315F68C19DC0E68B356CA39E447C759

Function 024AD47B Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

6% , xrefs: 024AD5B0

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: a57b15cb396e978207a6a081702f83d7da98b756c268d8ca131259ddfcff5628
Instruction ID: 5df835b7c6787c8b739adf6bcc6557e79e0a7d37c983c65f4aa4e5b58d45b576
Opcode Fuzzy Hash: a57b15cb396e978207a6a081702f83d7da98b756c268d8ca131259ddfcff5628
Instruction Fuzzy Hash: D2A15B719047828BE3158F3AC4A0762FBA3AF97219F28C59DD0E68B792CB36D447C754

Function 0042D266 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

6% , xrefs: 0042D349

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: 6942823107cde51ae0d76c45187ec06213a8549588c6e5f3ffc157540b05ca67
Instruction ID: a9b46e2689ac7de3a55f2be4adbfcaf996c53fcb27f8e15b49ba1a8bd4667066
Opcode Fuzzy Hash: 6942823107cde51ae0d76c45187ec06213a8549588c6e5f3ffc157540b05ca67
Instruction Fuzzy Hash: A4917C71A047918BE315CF2AD890322FBA2BF87314F68C19DC0E68B356CA39E447C759

Function 02498432 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

Uq"s, xrefs: 024984B7

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: Uq"s
API String ID: 0-3860481101
Opcode ID: 7755086902b4204e4df668255a7215e8b23e1c788f8cff70fc5a9c8c6750b27e
Instruction ID: a6f04e5c4c9b59bb38491098b0ab5677ac85d78798563b956a3a6f39d3f7e6e1
Opcode Fuzzy Hash: 7755086902b4204e4df668255a7215e8b23e1c788f8cff70fc5a9c8c6750b27e
Instruction Fuzzy Hash: B681A0729083218BC724CF29C8816ABBBE2FFD9754F55892DE8C56B364D3349901C795

Function 024AD4CD Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

6% , xrefs: 024AD5B0

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: 6942823107cde51ae0d76c45187ec06213a8549588c6e5f3ffc157540b05ca67
Instruction ID: b2af89e14c66d01a476d0837a6edd5c3a71dbe55e4c815a917b2525fc5e3df54
Opcode Fuzzy Hash: 6942823107cde51ae0d76c45187ec06213a8549588c6e5f3ffc157540b05ca67
Instruction Fuzzy Hash: F9916C719047828BE3158F3AC4A0762FBA3AF97219F28C59DC0E68B792CB36D447C754

Function 0041DE20 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

~, xrefs: 0041DEEB

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 216a9c789848d00e5cb59f8d8211cbaf616076ffd47aef624a850d2b5a2ba82e
Instruction ID: d6d3c6a8445c6f8249743588b1fe40e3e1262719c9cf6b2cf3403eac3b8b2a97
Opcode Fuzzy Hash: 216a9c789848d00e5cb59f8d8211cbaf616076ffd47aef624a850d2b5a2ba82e
Instruction Fuzzy Hash: 01912B76A046614FC725CE29885039BBBD1ABD5324F19C33DECB99B3D1C6788D4683C5

Function 0249E087 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

~, xrefs: 0249E152

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 7523bd33d2efc19dd0ecb5d4ccaa33e76ae4b7c5b0502bed7dba09186ce5a170
Instruction ID: 0fc85e2f44b908026ea982efff17f0aa1ddab952fd55798db1a187cb268acdad
Opcode Fuzzy Hash: 7523bd33d2efc19dd0ecb5d4ccaa33e76ae4b7c5b0502bed7dba09186ce5a170
Instruction Fuzzy Hash: 02910932A042654FCB25CE28885175BBBD2ABC5224F19C37EECB99B3D1C7359805C7D1

Function 0041BF22 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

dro, xrefs: 0041BF40

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: dro
API String ID: 0-3240311609
Opcode ID: 81e9700b6e01af517d36219ee3d269a01a390bb6240e79e39fe3e60abaab7110
Instruction ID: 02dc4405a3e6021a5cbca0989817c2553649738a3642eb7fa6ebf8f960d4c5bd
Opcode Fuzzy Hash: 81e9700b6e01af517d36219ee3d269a01a390bb6240e79e39fe3e60abaab7110
Instruction Fuzzy Hash: 187176759483919BD3048B398C91767BFD2DBE7308F1C985EE8C187342DA3989868B96

Function 0249C189 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

dro, xrefs: 0249C1A7

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: dro
API String ID: 0-3240311609
Opcode ID: 33f7236ae50751edfb3010370f9903eab25f818a51d50b109d84e0071e9a583f
Instruction ID: 02e90caa937e56a62370de9dd92c38fd779db97fd5d848b855323cbe3b2c3024
Opcode Fuzzy Hash: 33f7236ae50751edfb3010370f9903eab25f818a51d50b109d84e0071e9a583f
Instruction Fuzzy Hash: 567179719093909BE714CB39C8A072BBFD2DFD7605F0C98AEE8C197342CA798506C792

Function 00405F30 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

,, xrefs: 00406099

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 95fbe918e3856b9e2b88272126811337fb0550e6c7ce929bb800fc73093196bd
Instruction ID: fd5de62b931450e1b5ef7df0d1c47e4616b1cce952855a0423c27ce4652e9c43
Opcode Fuzzy Hash: 95fbe918e3856b9e2b88272126811337fb0550e6c7ce929bb800fc73093196bd
Instruction Fuzzy Hash: 76B138712083819FD324CF58C88065BBBE0AFA9708F444E2DF5D997782D635EA18CB96

Function 02486197 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

,, xrefs: 02486300

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 95fbe918e3856b9e2b88272126811337fb0550e6c7ce929bb800fc73093196bd
Instruction ID: 5663230afd5def4ecb516e44c2ff23e10beaa25fc5b42e5f37bef271b94ceded
Opcode Fuzzy Hash: 95fbe918e3856b9e2b88272126811337fb0550e6c7ce929bb800fc73093196bd
Instruction Fuzzy Hash: A0B149712093819FD324DF58C88061FBBE4AFA9704F444A6EE5D997342D631EA18CB97

Function 0042D257 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

6% , xrefs: 0042D349

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: 32ce1ffcdfc7169691f9fbbc75649b5cc4406dcdb6cf5419a576a3d70a49ddf4
Instruction ID: b8df2322cb536cb33b07af95d5f6a3d6698056d30af99c56fcac6dd6d67ba28c
Opcode Fuzzy Hash: 32ce1ffcdfc7169691f9fbbc75649b5cc4406dcdb6cf5419a576a3d70a49ddf4
Instruction Fuzzy Hash: 4C913571A047818BE315CF2AD890322FBA2BF97305F68C19DC0E64B356CB39A447C798

Function 024AD4BE Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

6% , xrefs: 024AD5B0

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: 32ce1ffcdfc7169691f9fbbc75649b5cc4406dcdb6cf5419a576a3d70a49ddf4
Instruction ID: e019c46ac8147eab1ca3453ba1004ff27027ac7d7fc7528f8e200ab8ee09295e
Opcode Fuzzy Hash: 32ce1ffcdfc7169691f9fbbc75649b5cc4406dcdb6cf5419a576a3d70a49ddf4
Instruction Fuzzy Hash: A89149759047828BE3158F2AC8A0762FBA3AFD7205F28C59DC0E64B796CB36A447C754

Function 00427BD5 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

^<, xrefs: 00427E5D

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: ^<
API String ID: 0-1250827938
Opcode ID: 41e37e9b5d8b07674b8e2bc82c1261f9383bfe3a2d7342c08b38cd1e59e2a959
Instruction ID: 76318579643728f0616f3690cf73170bc26675f2eb789232e4368340809d3467
Opcode Fuzzy Hash: 41e37e9b5d8b07674b8e2bc82c1261f9383bfe3a2d7342c08b38cd1e59e2a959
Instruction Fuzzy Hash: 5181E0B9A083509FD3109F24E84071FB7E4FB89714F55492EE88897392DB75D805CB8A

Function 0042B160 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B35E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 8be67bf744424876015e1858f150e1ce453c6b6d4703576606dd92d972622597
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: F571F632B083658BD714CE28E48472FB7E2EBC5750FA9856FE89497351D3389C4587CA

Function 024AB3C7 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 024AB5C5

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 8335fa1dbccb3cd8bf97ad7e8f8c786d68427b6ef70455a9fe999bdff75c2d0f
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 8471C232A083558BD724CE2DC5A031FBBE2EBF5718F19892EE4949B391D735DC898742

Function 00431AC0 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

d, xrefs: 00431B2D

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 8f56f7176e5b09e88c8b0262bdbca6cf313dcd4deeffd0bfbd9c285bb1357329
Instruction ID: f78b69759fe7f0466518a5f921d398374ab8837811b96817ed1437767379557e
Opcode Fuzzy Hash: 8f56f7176e5b09e88c8b0262bdbca6cf313dcd4deeffd0bfbd9c285bb1357329
Instruction Fuzzy Hash: 18613837759A8007D32C9D7C5C6127ABA834BDB234F2DD37EA6B28B3F0D96948065318

Function 024B1D27 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

d, xrefs: 024B1D94

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 8f56f7176e5b09e88c8b0262bdbca6cf313dcd4deeffd0bfbd9c285bb1357329
Instruction ID: bcf81ca18e6c73fec25f75d7e38197ba362ccfa08dd14f374f6ab512f1122742
Opcode Fuzzy Hash: 8f56f7176e5b09e88c8b0262bdbca6cf313dcd4deeffd0bfbd9c285bb1357329
Instruction Fuzzy Hash: 74613A27759A8047D32D9D7C4C712BAB9934FC7230B1DC77FA6BA8B3E5DA6948068310

Function 00423732 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

27B, xrefs: 0042371E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: 27B
API String ID: 0-3497748580
Opcode ID: b4082868dfb7063f9be6c2d191fcc1f2b7a2117ff56b87734f3401745b7f1223
Instruction ID: c4cd7dd8fa27340fd1b3b76944cbe8f8ccbb3a7eca1188f99904cf29aa833f8a
Opcode Fuzzy Hash: b4082868dfb7063f9be6c2d191fcc1f2b7a2117ff56b87734f3401745b7f1223
Instruction Fuzzy Hash: 2651D4B5A08201DFE718CF28DC9166673F6FF89712F19897DE98697290C738EE11CA44

Function 0041B5C0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_, xrefs: 0041B6BC

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 8ac5de3e5cca27c052d834e504919dfc6ce616a8baca3a3630348c3b6fac329a
Instruction ID: 2095892abeed3e63248c1bac6475b1cb5e61301d5b1f08562b12af1249ddd8f5
Opcode Fuzzy Hash: 8ac5de3e5cca27c052d834e504919dfc6ce616a8baca3a3630348c3b6fac329a
Instruction Fuzzy Hash: A271F456204A910AD72CDF7485923377EE69F84308F2881FFCA95CF797E938C512878A

Function 0249B827 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_, xrefs: 0249B923

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 23ba627c70558a569b6833cc87e2daeea145153ec277c334166e4bbe58496d53
Instruction ID: 5e3cf09548e6d2105449347a71fbc4012b8374f71e94a7141b86df795318c528
Opcode Fuzzy Hash: 23ba627c70558a569b6833cc87e2daeea145153ec277c334166e4bbe58496d53
Instruction Fuzzy Hash: 9B71051A2156910ADB3CDF74849273B7EE69F44308F2881FFCA55CFA9AE538C5128B49

Function 0040DF8D Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

UQ, xrefs: 0040DF95

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: UQ
API String ID: 0-2591677068
Opcode ID: 39056fbfab7134cbc8d55317595a7bc73ee2fa45da9842f4aa823cf1248b365e
Instruction ID: 39d3de3d28a3e67e62fc0c13682f510b587cc126d58f124ace1182a0a6455662
Opcode Fuzzy Hash: 39056fbfab7134cbc8d55317595a7bc73ee2fa45da9842f4aa823cf1248b365e
Instruction Fuzzy Hash: 48513673E183A04AD324CF25CC4179BB6E39BD5314F2AC93ED8CDB7246EA3558468786

Function 0248E1F4 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

UQ, xrefs: 0248E1FC

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: UQ
API String ID: 0-2591677068
Opcode ID: 39056fbfab7134cbc8d55317595a7bc73ee2fa45da9842f4aa823cf1248b365e
Instruction ID: c1fc7af3b338d5a2fe4e9ad5ae12d9be3f3676ad34c87398f213680206439e18
Opcode Fuzzy Hash: 39056fbfab7134cbc8d55317595a7bc73ee2fa45da9842f4aa823cf1248b365e
Instruction Fuzzy Hash: EA512373E183A04AD324DB24CC4079FB6E39FD5215F2AC93ED8CDA7245EA7148468786

Function 0042BC19 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

]PUY, xrefs: 0042BCA7

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 833ebac923fea1c08cf2c765bc64c76ad3a1c795eafd0f07a31685bc83ecac14
Instruction ID: 756509cdf9cac3bf2e34f76bae273f07a8d4023ddd2e4317da20aa67c7602937
Opcode Fuzzy Hash: 833ebac923fea1c08cf2c765bc64c76ad3a1c795eafd0f07a31685bc83ecac14
Instruction Fuzzy Hash: D65126356047928BE7158F2AD0503B2FBA2EF97310F58819EC4D59B393C7789883CBA4

Function 004376A0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

"xC, xrefs: 004377EE, 00437813

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: "xC
API String ID: 0-3434850376
Opcode ID: c3b2ed7e45b1094a6ddc0ba9478e4cf45ac2fdf2c6a527eb020dd82b17fb73e8
Instruction ID: 61a97f09bd6a64862f832a295961c9e37e45eecc3afd59bc8d2babe33846ee3c
Opcode Fuzzy Hash: c3b2ed7e45b1094a6ddc0ba9478e4cf45ac2fdf2c6a527eb020dd82b17fb73e8
Instruction Fuzzy Hash: EA5145B46083009BE7209F24D846B7BB7E5EB8A304F14982DF9C587392D738DC05C79A

Function 024ABE80 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

]PUY, xrefs: 024ABF0E

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 833ebac923fea1c08cf2c765bc64c76ad3a1c795eafd0f07a31685bc83ecac14
Instruction ID: 2cdd684fffc0996f0e363f8cf299ed2199e02dbd16ef3633c17b11c824b14469
Opcode Fuzzy Hash: 833ebac923fea1c08cf2c765bc64c76ad3a1c795eafd0f07a31685bc83ecac14
Instruction Fuzzy Hash: 1351F5316047828BE7158F2AC0A0772FBA2EFA7318F1C819AD4D69B757C7759487CB60

Function 0042BBE5 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

]PUY, xrefs: 0042BCA7

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 8bd96c90833b5a43c05f74ec5e3cdbba46ab48756b24700dbc480fde18acfa12
Instruction ID: 101f83398723957eaf8ebab7bedcad0287a2f185440708d10144fae7b8688d1b
Opcode Fuzzy Hash: 8bd96c90833b5a43c05f74ec5e3cdbba46ab48756b24700dbc480fde18acfa12
Instruction Fuzzy Hash: 0841F5242047928BEB158F2A90503B2FBE1EF67310F6885DEC4D55B393C7789887CB95

Function 024ABE4C Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

]PUY, xrefs: 024ABF0E

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 8bd96c90833b5a43c05f74ec5e3cdbba46ab48756b24700dbc480fde18acfa12
Instruction ID: ed200078cd160414779b06f6972073b0d9319227f2c40158eee9dd423a52b95d
Opcode Fuzzy Hash: 8bd96c90833b5a43c05f74ec5e3cdbba46ab48756b24700dbc480fde18acfa12
Instruction Fuzzy Hash: 9641D3201087828BEB158F2AC060372FFA1EF63318F1895DAD4D69B793C7759487CB61

Function 0042BBBB Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

]PUY, xrefs: 0042BCA7

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 7f64b8f2252508e281d65dd6d7d014d908d01dfc4a68b347cc4159b77c7ef8f9
Instruction ID: 520b36c6a1d2f3d526d8f217c0768528d4c8211d62a9dc5acd7122e48dd87a66
Opcode Fuzzy Hash: 7f64b8f2252508e281d65dd6d7d014d908d01dfc4a68b347cc4159b77c7ef8f9
Instruction Fuzzy Hash: FB3100342047928BE7258F26D0503B2FBA2EF97310F28859EC4D55B793C7789883CBA1

Function 024ABE22 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

]PUY, xrefs: 024ABF0E

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 7f64b8f2252508e281d65dd6d7d014d908d01dfc4a68b347cc4159b77c7ef8f9
Instruction ID: 6ace4273679db7dfe6fae6dc538ecc2c90cd35483d4dcb2974133086f7a1f118
Opcode Fuzzy Hash: 7f64b8f2252508e281d65dd6d7d014d908d01dfc4a68b347cc4159b77c7ef8f9
Instruction Fuzzy Hash: 9D31BF342087828BE7158F26C060772FBA2EFA7318F18859AD4D69B793C7759487CF60

Function 02496019 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

@FGX, xrefs: 0249609A

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: @FGX
API String ID: 0-349140567
Opcode ID: 878762f2f0a2801bfa519c8d639aef9d2eaf33176eb3fe418c667f0476a2548a
Instruction ID: 8e58ab3fcd0f2d662bd1532314b6ff7c725d63aff29ae9d19385fbcddf0f1fed
Opcode Fuzzy Hash: 878762f2f0a2801bfa519c8d639aef9d2eaf33176eb3fe418c667f0476a2548a
Instruction Fuzzy Hash: 99314477B953404BDB25CE6A8CD12ABE6D7EBC5314F2E853E84D9C3291CBB464068611

Function 024BBEC1 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

@ONM, xrefs: 024BBF08

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: @ONM
API String ID: 0-2801865338
Opcode ID: 493ae99af8cab98e6aeec1ba3077f37be9659935b85154a414cff4319a71862d
Instruction ID: 4a9232dcdbe3733e0b395e0ad184df9de8905204b3366f9f7c650704ed678d87
Opcode Fuzzy Hash: 493ae99af8cab98e6aeec1ba3077f37be9659935b85154a414cff4319a71862d
Instruction Fuzzy Hash: 3731C4742051429BDF19CB18D8949BF3656EF47328B28453AEC5BD7A99CB309802CF64

Function 024A4B27 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

t2t4, xrefs: 024A4C3C

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: t2t4
API String ID: 0-2282852718
Opcode ID: 3cdf43acc4d95fd44215b9c48030b4911bcb054b2fc525bf5e5327d49e8ffd77
Instruction ID: a855374b2e661fd97c2a9efd6b001d00437663a1a085c8d9612cfd3352703836
Opcode Fuzzy Hash: 3cdf43acc4d95fd44215b9c48030b4911bcb054b2fc525bf5e5327d49e8ffd77
Instruction Fuzzy Hash: 884139B0E203588BDF60EF7DD94679DBFB4AB45304F1042AAE558E7284E2704998CF92

Function 0043DE70 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

@, xrefs: 0043DED8

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 1c568b1421a8fda0da9f5e36dd6259d31bdf45c63349f98fec975da721f67115
Instruction ID: 0b7b3504051f5e1ff1aa4768d83721eb93ddf2e73f62a010e3e9f82a19ad0d6f
Opcode Fuzzy Hash: 1c568b1421a8fda0da9f5e36dd6259d31bdf45c63349f98fec975da721f67115
Instruction Fuzzy Hash: 673135B59083049FC314DF58D8C16ABB7F5EB8A314F14983DEA9587361D3399908CB6A

Function 024BE0D7 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

@, xrefs: 024BE13F

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0d53208c25008a210efc295e101664b5ebd8cbd2329c7a3b43188f79c44213d5
Instruction ID: bd444f62e6f3827aec7ad6641f333a4e9948787582f7c476c468281369aa51a2
Opcode Fuzzy Hash: 0d53208c25008a210efc295e101664b5ebd8cbd2329c7a3b43188f79c44213d5
Instruction Fuzzy Hash: F231F1B52083049FC325DF58D8C06ABB7E5EFC6314F64882DEA8587360D3759908DBA6

Function 024A4246 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

LN, xrefs: 024A4281

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: LN
API String ID: 0-1386821167
Opcode ID: e67d5fcc7911b71495b8df328d27c9b650f560e38f1ee29202c43e0c0b9ea386
Instruction ID: 39799614c107fedf2441cf393352eb4800b641ca02bfbc067b99853edcf9ac63
Opcode Fuzzy Hash: e67d5fcc7911b71495b8df328d27c9b650f560e38f1ee29202c43e0c0b9ea386
Instruction Fuzzy Hash: 0D2133746083008BC7149F69C8A26BBB3E1FF82354F09592DE491CB390EBB88404CB12

Function 024A7C96 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

iyB, xrefs: 024A7D54

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: iyB
API String ID: 0-3731409854
Opcode ID: 9259bb26a152aca595539770708dabec1128ae6435e6817575d0fec8d03ea0cc
Instruction ID: da208562351fc1904d003f163c42ffb66fe3c3a9fb15d21e8ba35ef7a9de9cab
Opcode Fuzzy Hash: 9259bb26a152aca595539770708dabec1128ae6435e6817575d0fec8d03ea0cc
Instruction Fuzzy Hash: 432103365082E08EE7314F3C88603B9FBA36FA3624F28438AE4F54B3E1C3665945C751

Function 0043B46E Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

I^c[, xrefs: 0043B49E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: I^c[
API String ID: 0-320043785
Opcode ID: 250788572def74411ba245d846d29b35b8e336b0752960bc5372f7bedec25c80
Instruction ID: 25b1d4c7fe5298297f98f02f1a5c1a673882f088088ba95967c849d929fc2c0b
Opcode Fuzzy Hash: 250788572def74411ba245d846d29b35b8e336b0752960bc5372f7bedec25c80
Instruction Fuzzy Hash: F9C092BCB5D000DF9B08DF26FC42971B33AB79B607B25F6768052E7226C264D412464E

Function 024BB6D5 Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

I^c[, xrefs: 024BB705

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: I^c[
API String ID: 0-320043785
Opcode ID: 250788572def74411ba245d846d29b35b8e336b0752960bc5372f7bedec25c80
Instruction ID: 1879e9198802b544733377795bf8f13abc4de3c7e621050dd3b45d57e28ac4d3
Opcode Fuzzy Hash: 250788572def74411ba245d846d29b35b8e336b0752960bc5372f7bedec25c80
Instruction Fuzzy Hash: C6C048BCA694049F9B08DF25A8528B2A23AAB8B61AB15A266C452E7225C260D452864D

Function 0043B497 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

I^c[, xrefs: 0043B49E

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID: I^c[
API String ID: 0-320043785
Opcode ID: 2dd955fd72795d28ad92aafd2f08a517e70b64d04f4b54ec41ef71ca322fa627
Instruction ID: a887d184a45c50a685db49a5a985dac011b4f3fa4bc32fdc8b107411e9fae9f1
Opcode Fuzzy Hash: 2dd955fd72795d28ad92aafd2f08a517e70b64d04f4b54ec41ef71ca322fa627
Instruction Fuzzy Hash: BCC092BCA480009B9B00DF25FC418B2B37AB79B30AB25F260C450E7225C261E412464D

Function 024BB6FE Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

I^c[, xrefs: 024BB705

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID: I^c[
API String ID: 0-320043785
Opcode ID: 2dd955fd72795d28ad92aafd2f08a517e70b64d04f4b54ec41ef71ca322fa627
Instruction ID: a887d184a45c50a685db49a5a985dac011b4f3fa4bc32fdc8b107411e9fae9f1
Opcode Fuzzy Hash: 2dd955fd72795d28ad92aafd2f08a517e70b64d04f4b54ec41ef71ca322fa627
Instruction Fuzzy Hash: BCC092BCA480009B9B00DF25FC418B2B37AB79B30AB25F260C450E7225C261E412464D

Function 00410C48 Relevance: .8, Instructions: 846COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7507d81c928ac82049bd46078ae2362f1992282f42cbd9c1703c075f6b36e57
Instruction ID: 2639d11f868ecb2a67b7e53cfbbff553806d46d54c1d273c0f2991630b5050a0
Opcode Fuzzy Hash: a7507d81c928ac82049bd46078ae2362f1992282f42cbd9c1703c075f6b36e57
Instruction Fuzzy Hash: ED72D6B5A04B408FD714DF38C58539ABBE1AB59310F198A3ED5EB877D2D638A445CB02

Function 02490EAF Relevance: .8, Instructions: 846COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f0d1c00f4a1e62b2840e581340ced4cfdd6dfc13c31f2ce482daf85d2e5f6d
Instruction ID: 730a823cdf5019fd6e83f176330c6670b3ac43288f79fb4bf000d245116d654c
Opcode Fuzzy Hash: b7f0d1c00f4a1e62b2840e581340ced4cfdd6dfc13c31f2ce482daf85d2e5f6d
Instruction Fuzzy Hash: E972B1B1A04B408FD715EF38C58536ABFE2AF45310F098A2ED8EE87791D675E445CB02

Function 00406790 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7768a2ec1ec57bdb09b9fca9920a6373ba49f1e517b4f56a6699e1c1d36b0500
Instruction ID: 72675b05eda19e8779dbb1a5eb2d7c88ae4b40604f77750e9e8d50bd5a7f5789
Opcode Fuzzy Hash: 7768a2ec1ec57bdb09b9fca9920a6373ba49f1e517b4f56a6699e1c1d36b0500
Instruction Fuzzy Hash: 9752DFB0908B848FE7308F24C4843A7BBE1EB91314F15493ED5E756BC2C27DB995875A

Function 024869F7 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0215ec4d3f347251e42ca146c9c1c47a6081e8930381342054545bb4b2ce7b
Instruction ID: a98323aa5847d0e0c1e05aef042f35f5771f23bf13ccd511b5b53c1faf35badf
Opcode Fuzzy Hash: 3e0215ec4d3f347251e42ca146c9c1c47a6081e8930381342054545bb4b2ce7b
Instruction Fuzzy Hash: E152E5B09187848FE731EB24C4953ABFBE5EB81314F15482FD6E606B82C379A4C5CB56

Function 00402F30 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction ID: da475d6a246946d4cec44fa4efeb10d33b8412e81d3eb66c4c6f635d26bd4b4c
Opcode Fuzzy Hash: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction Fuzzy Hash: 8F5204715083459FCB14CF18C0906AABFE1BF89305F188A7EF8996B391D778DA49CB85

Function 02483197 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction ID: c7e33dd609f9126a7e4f165af0383f20296e711350cabd95314ffd6e33e12a39
Opcode Fuzzy Hash: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction Fuzzy Hash: 3352D5715183858FCB15DF18C0906AEBFE1FF84718F198AAEE8995B342D774E889CB41

Function 00407570 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903fcbb1a643e05a4d23b42ff3114aed92be34c28aac2a465699685d977fee26
Instruction ID: 4e3332cc0deee687a8a334ff1813413eab0d93817b1e44ac7c27c7d66513df7c
Opcode Fuzzy Hash: 903fcbb1a643e05a4d23b42ff3114aed92be34c28aac2a465699685d977fee26
Instruction Fuzzy Hash: FA22B331A0C7118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B8518B47

Function 024877D7 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903fcbb1a643e05a4d23b42ff3114aed92be34c28aac2a465699685d977fee26
Instruction ID: c43fc6e3f1f385630831e66056a86b7133b985631965128b1d2b7a3d06be50dd
Opcode Fuzzy Hash: 903fcbb1a643e05a4d23b42ff3114aed92be34c28aac2a465699685d977fee26
Instruction Fuzzy Hash: D822C536A187118BC725EF18D8906BFF3E2EFC4319F29892ED98697381D734A851C742

Function 00403930 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c936248dd15a90f11275c05cfe2abed3d894a05c23be56f02150f2d66484dc7
Instruction ID: f91ac753e7a7bebbe6f01e4586a9fb8008f51502e6128f977470d04f56866aa1
Opcode Fuzzy Hash: 9c936248dd15a90f11275c05cfe2abed3d894a05c23be56f02150f2d66484dc7
Instruction Fuzzy Hash: 72323370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F91D33AF945CB18

Function 02483B97 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7165acfac48d10b10cc906fd56f26c012e1dc3796495e09fa17235e7a0a0c02b
Instruction ID: 441664baa8299d33b6d7090166475920ed250c23c0589f3c73655914c88324e4
Opcode Fuzzy Hash: 7165acfac48d10b10cc906fd56f26c012e1dc3796495e09fa17235e7a0a0c02b
Instruction Fuzzy Hash: 013226B1524B118FC378EF29C68052ABBF1BF45A10B504A6ED6A78BF90D736F485CB10

Function 00411754 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4399ecb8baadbca22b22961bfeedad6fad9a5a94aec60e0953211bf4274ded24
Instruction ID: 98ec66b8c1a97905fe01f5c0427ca16a74e3336330c12707f3f83f9c89bcd337
Opcode Fuzzy Hash: 4399ecb8baadbca22b22961bfeedad6fad9a5a94aec60e0953211bf4274ded24
Instruction Fuzzy Hash: 712208B5A04B408FD710DF38C5853AABBE1AF45314F19893ED9DB87392E638E845CB46

Function 024919BB Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58efec98727fc57eb49f7cb0e9cbbc0a75df3e9071bb18bb188ed01f6096472b
Instruction ID: 96972b734001f66dbbe296125a376d7bfbd968d71f75200b0b4cc7257a0276da
Opcode Fuzzy Hash: 58efec98727fc57eb49f7cb0e9cbbc0a75df3e9071bb18bb188ed01f6096472b
Instruction Fuzzy Hash: 6F22A1B1A04B418FDB10EF38C58576ABFE1AF45310F09892ED8DF87391E675A845CB52

Function 00405910 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9354d7824bd0ca0315f6ddc57654dc713f71e9f8d0d247da35a61c01bc012f
Instruction ID: def549739959aa1c0ffb1d8319d7866a258dd23cfbe129c461b9684a64659dd5
Opcode Fuzzy Hash: 2b9354d7824bd0ca0315f6ddc57654dc713f71e9f8d0d247da35a61c01bc012f
Instruction Fuzzy Hash: F312F6356087418FC718CF29C88176BFBE2EFC9304F18986DE48597391DA7AD906CB96

Function 02485B77 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8f1ba40d69d5bde80ae8fa599bd4feb8ac876169a2b820b4dd33578d6fdeb3
Instruction ID: 952fe5eeed3fabe1634f7f8256fb8bcd9e166885a3ff5ab9d0ce4564a9e94035
Opcode Fuzzy Hash: 9f8f1ba40d69d5bde80ae8fa599bd4feb8ac876169a2b820b4dd33578d6fdeb3
Instruction Fuzzy Hash: 5912D7356083408FC709DF29C88176EFBE6EFC9308F59986DE48987352D676D806CB86

Function 00414540 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51be6763741591a344035aee5f01d1f927f1a18619105219077da959fd683791
Instruction ID: 45b0ab52f420e3ba935d0bafd95dda87e1debf7e0fa4e07306b6ab54504057c1
Opcode Fuzzy Hash: 51be6763741591a344035aee5f01d1f927f1a18619105219077da959fd683791
Instruction Fuzzy Hash: EDB136B65043008BD710DF28D8927A7B3E2FFC6314F19892DE8958B391E778D945C795

Function 0043CF80 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059769d25465fa904045713d430c74e0c19b5440f004898a5c2b1854bbe45773
Instruction ID: 2defda59d44219d426c681d2463f069c640b5c871f03dbe95b53d4ed1b68336b
Opcode Fuzzy Hash: 059769d25465fa904045713d430c74e0c19b5440f004898a5c2b1854bbe45773
Instruction Fuzzy Hash: C7D1DC75218350CFC708CF28E89066AB7E2FB8A314F1A887DE496C33A1D735E955CB46

Function 004378D0 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 427c0fc586407c4ea0078952a370e9d9554c9c643e7107aaae41e02421330025
Instruction ID: 2deb6e74b8718a018f8efba68a9f02d3293afff909e64734b2e97404956019a2
Opcode Fuzzy Hash: 427c0fc586407c4ea0078952a370e9d9554c9c643e7107aaae41e02421330025
Instruction Fuzzy Hash: 24B147B5A0C3144BD734DF24888162BB7A2EB8E714F19A62DE8D657382D734EC0587D9

Function 024B7B37 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054c87af421987512c5dfa6be52cdc19003700aceb3296971f5168ca6f543083
Instruction ID: 784c719708e20f05887589cd11ff6bc39036038f733d61b4a709ba42f5654260
Opcode Fuzzy Hash: 054c87af421987512c5dfa6be52cdc19003700aceb3296971f5168ca6f543083
Instruction Fuzzy Hash: 2AB16B76A083504BD726CF24C880BABF7A6EFC6728F19892DD98557391D731DC05CBA1

Function 0249705F Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a70da64b343dfc23983d61a05f63469784d3c1d00e12034010d268624f78d42
Instruction ID: 87b3157ab58d81c91a226cb36bed157dc3ed579a40038144954069ebe6ba19be
Opcode Fuzzy Hash: 0a70da64b343dfc23983d61a05f63469784d3c1d00e12034010d268624f78d42
Instruction Fuzzy Hash: 47C11472B543404BCB24CE69CC817ABBAD3EBC9324F1D463ED69AC7391DB7898428741

Function 0041E120 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328ea296a7f7ae6c8b0baddf8a211a627a6d3a701859a0bdc1bd594e0ea51691
Instruction ID: 874500187d1a9ea359c5eaacb664325c6b1477c52cd05e823e098c99c9f3bc61
Opcode Fuzzy Hash: 328ea296a7f7ae6c8b0baddf8a211a627a6d3a701859a0bdc1bd594e0ea51691
Instruction Fuzzy Hash: B4B13539904301AFD7149F25DC41B5ABBE2BFD9318F044A3EFDD8932A0DB3998558B46

Function 0249E387 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8cca080761a21679a6a4f7ea86b1eedf8f6b114b92e756efe287ff7f903918
Instruction ID: 4c4279455c714bb1bf270ca11aa5f9e9cd33d9f663aab1d7c2a5cb349bfcf2d0
Opcode Fuzzy Hash: da8cca080761a21679a6a4f7ea86b1eedf8f6b114b92e756efe287ff7f903918
Instruction Fuzzy Hash: AFB1E375A14301AFDB15DF24CC40B5ABBE2BFD5318F044A3EF998972A0EB36D9048B52

Function 0043E5A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a56997fbc0441fba347c17bd88a0b8ecd0458ad4f04b3dba3efdd3b01069101
Instruction ID: a33946bf24030606281bada71f5617d421b8dc4e0a7d6ffe09abec0077bdf50c
Opcode Fuzzy Hash: 0a56997fbc0441fba347c17bd88a0b8ecd0458ad4f04b3dba3efdd3b01069101
Instruction Fuzzy Hash: DFA10535A093119BC728DF19C490A6FB7E2EF8D710F18982DE9869B391DB35EC01DB85

Function 024BE807 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc9a56e6d596b9446dddd8607c67a23e00e769281a2c15c8f8cd0a141635c9c
Instruction ID: fc1c07a10cf8b3df7c4f0af9f89048309d1f6b3e50d91a851a72e0121f3135b3
Opcode Fuzzy Hash: fcc9a56e6d596b9446dddd8607c67a23e00e769281a2c15c8f8cd0a141635c9c
Instruction Fuzzy Hash: FAA106357083119BCB25DF28C490AABB7E2FFC9714F45852DE986973A1DB31AC41CB91

Function 024947A7 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a955c6a8e8ed12e7a199b7d5deba70926d4c22ee274e8291fcfe4a7906277d2
Instruction ID: 7f0c8998d5efbb8d0f095eef3f762fc582347144febdf1023b9e3080776d7e2d
Opcode Fuzzy Hash: 3a955c6a8e8ed12e7a199b7d5deba70926d4c22ee274e8291fcfe4a7906277d2
Instruction Fuzzy Hash: 9D8103769043458BCB14DF28C8927A7B7A1FF81314F098A5AE8914B791F774D90AC791

Function 0043E260 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9970deb9edb282636baeaa6d043b3509394b640a415c118d0e44f9897387f1f
Instruction ID: 9644128e59c8f48f137d3a87ac465f269293a938a84db89a5fb90a06c87de915
Opcode Fuzzy Hash: f9970deb9edb282636baeaa6d043b3509394b640a415c118d0e44f9897387f1f
Instruction Fuzzy Hash: 7391F1352053019FC718DF19C4A0A6BB3E2EF8D714F19986DE9869B391EB35EC01CB86

Function 024BE4C7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1485bbc811f0b5d664c5522e7e62ad77d6d43744d9be96812a9eabd4a03ff1f0
Instruction ID: 37a0d8c644364c7a227eba4dcecaa67789778ff4dfc71d66d219da0e3d70b416
Opcode Fuzzy Hash: 1485bbc811f0b5d664c5522e7e62ad77d6d43744d9be96812a9eabd4a03ff1f0
Instruction Fuzzy Hash: CC91C4393047019BC719DF28C4A0AABB3E2EFC9714F59856DEA859B351EB31EC11CB91

Function 004228F0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9210703c3e3ead337d14b769222129f064cb0e19ddb24e14e278d5e2d4c72068
Instruction ID: 1eb13f8c0f7c5437e88a4037a37c2ba365cc1fff68e66afb2e4752f38bc20672
Opcode Fuzzy Hash: 9210703c3e3ead337d14b769222129f064cb0e19ddb24e14e278d5e2d4c72068
Instruction Fuzzy Hash: F69125B1704310ABD720DF24DC92B6BB7A1EF85324F04891DE9859B391E7B8E905CB5A

Function 024A2B57 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a85ff48ca583132445085813475697644c2a3260da44527b0ce6ca9ca443da
Instruction ID: 8d18e25ca8694b35675ed044d4e619c168a0ccb41b72f18ddcb0300ff222c0fe
Opcode Fuzzy Hash: 03a85ff48ca583132445085813475697644c2a3260da44527b0ce6ca9ca443da
Instruction Fuzzy Hash: E29135B1A043019BD720DF24CCA1B6BB7B5EF95314F04891EED858B391E3B5D845CB62

Function 00406300 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee7766115af06289abff48f429deeb8efcec8a637bafc1fb98af702641f6711
Instruction ID: f23f32cf01dc30952394d059975e429ee5425c20b13872ae872a387af0b31eb4
Opcode Fuzzy Hash: 3ee7766115af06289abff48f429deeb8efcec8a637bafc1fb98af702641f6711
Instruction Fuzzy Hash: 7BC16BB29087418FC360CF28DC96BABB7E1BF85318F09493DD1DAD6242E778A155CB46

Function 02486567 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee7766115af06289abff48f429deeb8efcec8a637bafc1fb98af702641f6711
Instruction ID: 9cd00954d74e8f39d4d4466b0f0e4eeabf1aa8679e5fddec861c9ba862322331
Opcode Fuzzy Hash: 3ee7766115af06289abff48f429deeb8efcec8a637bafc1fb98af702641f6711
Instruction Fuzzy Hash: CEC17EB2A187418FC364DF28CC86BABB7E1BF85318F09492DD2D9C6342D778A155CB46

Function 00426B10 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3534712479a2143452d67aaac18d54eb7473398a5fc13d93ff3e0636a2857a2a
Instruction ID: 655a0559c217653cef3fca3199031bfa73ff368d8ccf1923f27e202b99122e6b
Opcode Fuzzy Hash: 3534712479a2143452d67aaac18d54eb7473398a5fc13d93ff3e0636a2857a2a
Instruction Fuzzy Hash: 78715976B043604BD7249F25EC8272B73A2EFC5314F5A843EE88587386E73CAC05875A

Function 024A6D77 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1267b7fe993aa0bec75e9b33632803229fdd51b255bb84806e6471695dd0b5f7
Instruction ID: 1b71261c62caf07ef61897eea48d2188c4fae4bb02bb71eb6fbdcc03015c6903
Opcode Fuzzy Hash: 1267b7fe993aa0bec75e9b33632803229fdd51b255bb84806e6471695dd0b5f7
Instruction Fuzzy Hash: 867116B26043414BDB24DF25CC92B6BB3AAEFD1314F1E843EE88687385E335E8058752

Function 00428005 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3962b5a4d76f573ddfad7ae27d55818d93d2ff7dd1357bd24553ef01724fa84a
Instruction ID: 22ff485e549f6443c3d6949a31a029aa7963071f38f3dda40c7bb38aca216ede
Opcode Fuzzy Hash: 3962b5a4d76f573ddfad7ae27d55818d93d2ff7dd1357bd24553ef01724fa84a
Instruction Fuzzy Hash: 95913572A04B158BD718DF29D86133FB7D2ABC5304F4A863DD9968B3D2DF3898058B85

Function 00439AD0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0099e44d0a544cabda61d6d480e4783b3ba25f567e3dda249a702d8631e02f0b
Instruction ID: 31a4208be66890e024ccdaba488de7446d06012f33711c004bb2343707e414f1
Opcode Fuzzy Hash: 0099e44d0a544cabda61d6d480e4783b3ba25f567e3dda249a702d8631e02f0b
Instruction Fuzzy Hash: 43517D36B042105BD7249F29D88276BB7D2EBCD714F29953EE8C55B386D2785C02C7C9

Function 024B9D37 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af0b475dbb345dde9474c58a10ec826e452da1c6a1c93555822a34b2b044b0c
Instruction ID: f436670e3d827e4eff72c56c17e59c3ef764a72b68f9d039d810600e13d9fc52
Opcode Fuzzy Hash: 2af0b475dbb345dde9474c58a10ec826e452da1c6a1c93555822a34b2b044b0c
Instruction Fuzzy Hash: EE514B36B042104BD7258F29CC817EBB792EFC5724F29853EEAC557396D3315C028BA1

Function 0043DFA0 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e31a75f6465148eed7c5f06df97d7a8beef448c5e813ecb061097bf9e831d20
Instruction ID: e0930f2ca75b34a07e50f2291cc182f3ed73123002e8a1e8e1ce327a60199e33
Opcode Fuzzy Hash: 4e31a75f6465148eed7c5f06df97d7a8beef448c5e813ecb061097bf9e831d20
Instruction Fuzzy Hash: F87199356042119BCB24EF19C850A7FB3E6EFC9310F19942DE986973A1EB34AC11CB86

Function 024BE207 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa4cbe2942b50c698837d5915ef38f045e554296c8cf0f1222bda5a3643e456
Instruction ID: e9e8ca0d3ce07a8c7af88bf9edf18b20d073439d0de4a561f7864f70aa0bc46c
Opcode Fuzzy Hash: 1fa4cbe2942b50c698837d5915ef38f045e554296c8cf0f1222bda5a3643e456
Instruction Fuzzy Hash: 9C7137357042019BC726DF28C850AEFB3E2EFC9750F45942DE9859B3A1EB31E851C7A1

Function 00429611 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69c8f324d6e44b7029bbb22f192a0ae35868fd7677be5bcff18cfd97e7de504
Instruction ID: 6d8d39d0a974a7ba50fd132e75342286684842a67c649204b07d671cb687baa6
Opcode Fuzzy Hash: e69c8f324d6e44b7029bbb22f192a0ae35868fd7677be5bcff18cfd97e7de504
Instruction Fuzzy Hash: 6581FC35A01214CBCB189F64ED916AE7772EF8B314F18817DE8026B7A2D7399D01CB9D

Function 004300C0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6212d8fd0f85e21e176147f584c91d29f68d358dd8b76cbe5ff4b58fbf7a334b
Instruction ID: 49058c05cb2899372a75d36f1cec8dc5094a28dca2d35a0b198b6fed829a9b46
Opcode Fuzzy Hash: 6212d8fd0f85e21e176147f584c91d29f68d358dd8b76cbe5ff4b58fbf7a334b
Instruction Fuzzy Hash: 80814A23B196804BD71C4D7D4C613AAAA934BDB330F2D93BEA9B68B3D2C46C4C0A4355

Function 024B0327 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6212d8fd0f85e21e176147f584c91d29f68d358dd8b76cbe5ff4b58fbf7a334b
Instruction ID: d0b2251b6ba0699cb374722df18169bebaf9d03c1d5f216f300dbd0240a9d8ed
Opcode Fuzzy Hash: 6212d8fd0f85e21e176147f584c91d29f68d358dd8b76cbe5ff4b58fbf7a334b
Instruction Fuzzy Hash: D6813927B19A904BD71D8D3C4C513EBAA934FD7234F1D937FA9B58B3D2C568880A8360

Function 00428A1C Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbba8be4a8c59089388be30d0d5c29c0a7489d5686b59b0700550f939163c58
Instruction ID: 0517f302109c657157973426c965d44916a8b41a770f58b5d68b0597ad2e084c
Opcode Fuzzy Hash: 2bbba8be4a8c59089388be30d0d5c29c0a7489d5686b59b0700550f939163c58
Instruction Fuzzy Hash: 647111B2F012209FD704AF7DCC8279EBB72FB82310F5A426DE415AB285CA7444068BD6

Function 00439FA0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7e91b2c8e92737d3891b3661a1f77ad2c05db7c5f1408f2a7c0f51fb9c4930b
Instruction ID: bbdf4fb82f32d5c60c6b02c3954efd8ca4570e5071c2a9c3b0ec39a68bab0446
Opcode Fuzzy Hash: f7e91b2c8e92737d3891b3661a1f77ad2c05db7c5f1408f2a7c0f51fb9c4930b
Instruction Fuzzy Hash: F2616C36B512104BE7189F28CC8167BF7A2EBCA324F19A63EDCD557385C7389C118786

Function 024BA207 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebf83000694b99532cab8dfdd650a83a4983d590e8c44a93fafd3b7de8b696c
Instruction ID: b6d296e01c4cd7ab56621d52e81bbeabd530146f4e683d8bebdafbb1e65974c7
Opcode Fuzzy Hash: 2ebf83000694b99532cab8dfdd650a83a4983d590e8c44a93fafd3b7de8b696c
Instruction Fuzzy Hash: 29612B35F112604BE7199E29C8816BBF792EFC5328F19853EDC955B381D7349C02C7A2

Function 00419A85 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d45555018de56a9cffe1db840fcb1ff8ede3f52d9ea22efa1c0fde84e4700b
Instruction ID: 1bb5ebbdcf98670a5c9c04c7a13dce0c5353ce1f979e889aea20a3972baad2a2
Opcode Fuzzy Hash: 61d45555018de56a9cffe1db840fcb1ff8ede3f52d9ea22efa1c0fde84e4700b
Instruction Fuzzy Hash: E451E47BBA47104BD7288EB9CCD03DA66C2A7C5325F0E833DC89DD7245DA7C594A8285

Function 024A89F9 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7446e083fdef0d0e748ae56bdc0726b2283df5ba2e0f598cd37279e8197aacd6
Instruction ID: 48b235ed2032cf0e7d59d4f90d063d8227eedadb6a141f733d3b2c9b07068b82
Opcode Fuzzy Hash: 7446e083fdef0d0e748ae56bdc0726b2283df5ba2e0f598cd37279e8197aacd6
Instruction Fuzzy Hash: 537101B2E012149FD7049FBDCC8279EBF72EB82310F5A426DE455AB296CA7454068BD2

Function 0041BB20 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbbebc9c7a83dffad06bdb718bf19d923175a20288aaa42a7d845d8ad677b5f
Instruction ID: d86312fa1fd08075a91672bf7a77177cae0798a0c8a1c7f4f848d755219c3e9f
Opcode Fuzzy Hash: 2cbbebc9c7a83dffad06bdb718bf19d923175a20288aaa42a7d845d8ad677b5f
Instruction Fuzzy Hash: BC5127712093418FD714CF29C8A26AB7BE1EFD6314F08596DE0D18B395EB388845CB96

Function 0249BD87 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c614c91738a62a72aa0ed460f244121af728316e758c96734231062f75524a6f
Instruction ID: 5ecbe100eb5c307e060ac97e400f4ff75475e5640dcda930bb86a11bc7d36a01
Opcode Fuzzy Hash: c614c91738a62a72aa0ed460f244121af728316e758c96734231062f75524a6f
Instruction Fuzzy Hash: 6F5106712093418BCB14CF29D8917ABBBE2EFC2318F08596DE0D6CB795E7788506CB52

Function 0041E540 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086ce63b3145eb8640abb4d9fb0be30356ef5e8c72352ff2f3136717c6b9fb54
Instruction ID: 4f031cb08e9ffae457e3064ad8cc3df8fc734d623461cde85e63064428c38609
Opcode Fuzzy Hash: 086ce63b3145eb8640abb4d9fb0be30356ef5e8c72352ff2f3136717c6b9fb54
Instruction Fuzzy Hash: 1671283A74999047E32C853E4C212EA7E934BE7334B2DC76FE9B5873E5D56888428349

Function 0249E7A7 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086ce63b3145eb8640abb4d9fb0be30356ef5e8c72352ff2f3136717c6b9fb54
Instruction ID: c7bc0483940317e79d180de5c015d387668075cb417503382d7e09d39c74e4e4
Opcode Fuzzy Hash: 086ce63b3145eb8640abb4d9fb0be30356ef5e8c72352ff2f3136717c6b9fb54
Instruction Fuzzy Hash: D071D832B599904BEB2CC93C4C213AA7E934BD7234B2DC7AFE5F6873E5C56548068345

Function 0042F94E Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ddc9e49b40d81d59efe30981c578a79a2ed8841775b48c9a1d84f65f2e13e5
Instruction ID: 9811f89adf77642aac9bdcd1dfaa207f1bffa6057a3b6f962b1914ab5f2cf999
Opcode Fuzzy Hash: 62ddc9e49b40d81d59efe30981c578a79a2ed8841775b48c9a1d84f65f2e13e5
Instruction Fuzzy Hash: 5F912EB1900B40AFC364DF39C946797BEE9EB4A320F148A5DF4AEC7381D735A4458B92

Function 00425B60 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4da1f79aa3f9383186e8ff350823c50f108f9629e3aad98d91005626e621933
Instruction ID: 198089775270ec2ba09ed9cc0a303766f3a6797bbfd4347dbbfed1a88cb7f9f0
Opcode Fuzzy Hash: f4da1f79aa3f9383186e8ff350823c50f108f9629e3aad98d91005626e621933
Instruction Fuzzy Hash: 8D610F74A00215CFCB14CF64D851BBFB7B2FF8A351F898669C546AB365D7389881CB44

Function 0043CCE0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702b9c44c004d97b59a7cc676c1ff0dd82f29c30333d63b7b189e4e639c58c57
Instruction ID: 74c365c859359adb64e6443a1d8a804fcaa75e7c6b88efde6c3a9fc454399aee
Opcode Fuzzy Hash: 702b9c44c004d97b59a7cc676c1ff0dd82f29c30333d63b7b189e4e639c58c57
Instruction Fuzzy Hash: C551273AB14261CFC7088F24E8E125A73A2FB8F316F1B84BDC54697251D735A895CB46

Function 0041B8B0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d026b543ab5942119dfccf32ceff1fcac1681e6b59781b3f3370d29c3b4f85af
Instruction ID: 18c53c82966709a63a31b4bee39a72e940b2e13dfe4fc4d68ec31c8598fb935a
Opcode Fuzzy Hash: d026b543ab5942119dfccf32ceff1fcac1681e6b59781b3f3370d29c3b4f85af
Instruction Fuzzy Hash: 68610C32759A804BD32C893C5C612A67A938FD7334B3CC77FE6B6873E5D66848468385

Function 0249BB17 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d026b543ab5942119dfccf32ceff1fcac1681e6b59781b3f3370d29c3b4f85af
Instruction ID: 0154798bb282a09463e94101d949ce818eaeec4b392a2bfaa9f849180aa8d969
Opcode Fuzzy Hash: d026b543ab5942119dfccf32ceff1fcac1681e6b59781b3f3370d29c3b4f85af
Instruction Fuzzy Hash: F061FA367599804BD72CCD3C6C612667E938BD7238B2CC77FE6B6873E5D96448068344

Function 024978E5 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afd12ee4fe4161793bb82bed24be959262b690a463b4328cb5e553b40cd9b55
Instruction ID: 1a7df06cf6774020c761aafca6e2f70d7087655aa041e3e01d5a02adbadb465d
Opcode Fuzzy Hash: 8afd12ee4fe4161793bb82bed24be959262b690a463b4328cb5e553b40cd9b55
Instruction Fuzzy Hash: AE5103B66543404BDB20CFA8CCC06ABFAD2EBCA218F1D463DD989C7251D778E9458741

Function 00436BE0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76348a0bd557584f46e98dccacec5450f36fb77c479b62ce4ef0df6592008049
Instruction ID: e8dad1dda0253b92e63a19101ee9763ddde1de1650ff40d59ee9a09597a5be0b
Opcode Fuzzy Hash: 76348a0bd557584f46e98dccacec5450f36fb77c479b62ce4ef0df6592008049
Instruction Fuzzy Hash: 1D81E33410C3819ED3008B28C19536BBFE19B8B318F29AA5EE4D5473D2C779C949DB4B

Function 024B6E47 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aeef87a1c839f0af4ee9fdb924ad024939842a93be26a51871cd2794884bede
Instruction ID: 43d30ff8985d2a64846f659b12b71fcf3ebaf48ba453a9b46051f6a2380f3f0a
Opcode Fuzzy Hash: 4aeef87a1c839f0af4ee9fdb924ad024939842a93be26a51871cd2794884bede
Instruction Fuzzy Hash: D881813510C3808ED3128B28C5847ABFBE19FC6318F195A5EE4D657392C37AC989CB67

Function 0041E8A0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a08dda7ac70bd97ccb55d799a86e8fbd6dea8d0b4f801f075c8a0303ecfbcb
Instruction ID: 1b55788f5994b5c316b555bafa2d4e94edcdac73a59f8d5d1b109559d29dcada
Opcode Fuzzy Hash: 73a08dda7ac70bd97ccb55d799a86e8fbd6dea8d0b4f801f075c8a0303ecfbcb
Instruction Fuzzy Hash: 7E51383B759A804BD328893E5C50396BA930FD7334B3DC3BADAB4873E5C9694C468349

Function 0249EB07 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a08dda7ac70bd97ccb55d799a86e8fbd6dea8d0b4f801f075c8a0303ecfbcb
Instruction ID: 31ced6b8bd7f1adcfe8730199654249e170a862685502382e0c0b5a04bc55ca6
Opcode Fuzzy Hash: 73a08dda7ac70bd97ccb55d799a86e8fbd6dea8d0b4f801f075c8a0303ecfbcb
Instruction Fuzzy Hash: EB511337749A904BDB29CA3C5C502AABE934BD3234B2DC7ABE6B58B3E1C5654802C340

Function 00436440 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction ID: 86f22ca97d6f1e81ca17bbf3afc5211be283c408cf4080403e6b39791c642dfe
Opcode Fuzzy Hash: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction Fuzzy Hash: 17517DB15087549FE314DF29D49435BBBE1BBC8318F054A2EE4E987350E379DA088F86

Function 024B66A7 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction ID: 5fbde62f1f15dfc9eb9ee416e009aa857d3b01a08b3c29c6869c836410697cbd
Opcode Fuzzy Hash: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction Fuzzy Hash: 5B518CB15087548FE714DF29D89435BBBE5BBC8314F154A2EE4E983390E379D6088F92

Function 00419761 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 158d816916a75a71f0890200e4135c0148cdde566b05f3ca8ad5216f9b02a581
Instruction ID: 68a77030454d626d19ec7ed67b7794301e9ee5d4ef2845efaf891d8a3c10dde6
Opcode Fuzzy Hash: 158d816916a75a71f0890200e4135c0148cdde566b05f3ca8ad5216f9b02a581
Instruction Fuzzy Hash: D0415976A643108BEB288E65CC907EB7293F7C5325F1D863ED59983295D63C1C458349

Function 024999C8 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bcd66215105a27ea4a03a82d92bb363bba8c3b81f82123cc11194258d9b13f
Instruction ID: 9b606fcf0e02351aedafba35517caed16ef50b8938bb1ad8e620237031d9d5e8
Opcode Fuzzy Hash: 14bcd66215105a27ea4a03a82d92bb363bba8c3b81f82123cc11194258d9b13f
Instruction Fuzzy Hash: 5A41557AA947104BDB288E64CC807EF7A83F7C5328F1D863ED99A83694D73818058755

Function 02497584 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e1d33fca1f3ce1a2dec51e21a2417bd0723e7fd34f848b7fd2751e9d81773a
Instruction ID: 378e3dcd06221598f0c17f3a58472902c264e868190ff9a97a796a32f9327e86
Opcode Fuzzy Hash: 45e1d33fca1f3ce1a2dec51e21a2417bd0723e7fd34f848b7fd2751e9d81773a
Instruction Fuzzy Hash: C341DCB2E5075047D7308F698C80393B692BBC5625F1E832DC8D8D73A4DB75AC068791

Function 0042BA28 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775648f9cf49ffa31718cd879e4046e06dd18a1f45b10576d0a1a689108f1a28
Instruction ID: d943a23e85edda31a48abf12b3a750d452fa0ee3ec0af8a1685b1eff93be6d72
Opcode Fuzzy Hash: 775648f9cf49ffa31718cd879e4046e06dd18a1f45b10576d0a1a689108f1a28
Instruction Fuzzy Hash: 564101746047928BD3268B25D4A1773FFA1FF63304F68588ED4D74BB42C36AA806CB95

Function 024ABC8F Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ee7f36c3d2e856206c68bee4608b5cdf8c81be341d7e238eab71ee5415eea0
Instruction ID: 7e4e36da6d0429e01c181e579c4748fbe27997154e08e287c114661a601ee997
Opcode Fuzzy Hash: 53ee7f36c3d2e856206c68bee4608b5cdf8c81be341d7e238eab71ee5415eea0
Instruction Fuzzy Hash: 8C41CFB45087828FD3268B25C4A0B72FFA1EF77309F28588ED4D74B752D322A416CB51

Function 024A44E1 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08a39b096a47da746a4bf00c2439b11875ba81c220c3bee89326071ccf62e16
Instruction ID: af1074f099d16e8792506408795529a5a0d6381db4e58b208fccb45f02520de9
Opcode Fuzzy Hash: e08a39b096a47da746a4bf00c2439b11875ba81c220c3bee89326071ccf62e16
Instruction Fuzzy Hash: F5518DB1A0D3809FD308DF248591A6FBBE4EB95708F509D6DF1D69B680C778850ADF06

Function 0042CF7E Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1bf16c7a48d652cf2a5d28da35ca610a71a3541a15dec79de0db755ce372aad
Instruction ID: 331d108b3c03833bbf54b170f9c9f8a218aa15eb268d62f8f521e7b1f3013f26
Opcode Fuzzy Hash: d1bf16c7a48d652cf2a5d28da35ca610a71a3541a15dec79de0db755ce372aad
Instruction Fuzzy Hash: 6E415B31B156518BD72D8F399851737BB93EB9B308F68846EC097C7396DA3998038608

Function 024AD1E5 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00acf9beb325bf5025a1b6c8ede75b3caed8e1d61a24deee8cefcc4ff5900d2
Instruction ID: 83a7f1c590ad2a8f343815ded09faf8750acb35615f341b1435eb8692a8d4a9a
Opcode Fuzzy Hash: f00acf9beb325bf5025a1b6c8ede75b3caed8e1d61a24deee8cefcc4ff5900d2
Instruction Fuzzy Hash: 0D412B71A157818BDB2D8F39C8617377B93EB96308F18816EC496CBA96D774D402C714

Function 0043B649 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065cd19148dc20894899b99e2e959e105567de3c0b294e5b758c6105c1374d88
Instruction ID: fc2a3faee29f7c0b70f1af28c672127208f5ae33e1feaa70c7781e2b1feeb741
Opcode Fuzzy Hash: 065cd19148dc20894899b99e2e959e105567de3c0b294e5b758c6105c1374d88
Instruction Fuzzy Hash: 9F41477790061287C71C8F29C8523B6F762FFD5305F1DA22EC5869B784DB3899518BC5

Function 024BB8B0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065cd19148dc20894899b99e2e959e105567de3c0b294e5b758c6105c1374d88
Instruction ID: 525daf54ff75dc507b641e9a0f3df5f9520e72201be4dfede82cdac0424ab828
Opcode Fuzzy Hash: 065cd19148dc20894899b99e2e959e105567de3c0b294e5b758c6105c1374d88
Instruction Fuzzy Hash: 5741697790061287C71D4F25C8522B6F762FFD5308B1D922EC8879BB44DB389951CBD1

Function 024A3C11 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ea433e1a4b0e3496128ff544455191418dba8fb07b1872e8d9f7111668e092
Instruction ID: 07690b9f65bc0da64135db9b28a92d17585022015f93049c558210525760187b
Opcode Fuzzy Hash: e5ea433e1a4b0e3496128ff544455191418dba8fb07b1872e8d9f7111668e092
Instruction Fuzzy Hash: 9B314975B443418BD3148F14CC11B77B7A1EBAB324F28CAAEE461873D6E3349845CA14

Function 0043CDE0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51dd51954d8198820db1252f03c0cc0313dceaeabc8b2885be188b91e09cdde2
Instruction ID: 4d77fa5e14a42d727003599c78718a86a99c9e501e3b114b6fc75029bd77acf5
Opcode Fuzzy Hash: 51dd51954d8198820db1252f03c0cc0313dceaeabc8b2885be188b91e09cdde2
Instruction Fuzzy Hash: 5A411539B15261CFC3488F34E8E161A73A2FBCB306F1B84BDC54587221DB35A856CB46

Function 0043AF5E Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72138a9fa09ec5ef67015aaaed4d92e4b723bfe6560b5f02fde87eaa4170c899
Instruction ID: 7bc35896f80d9aee04bfd5efb7f20b294d153b4365299a9763fe12702b038c27
Opcode Fuzzy Hash: 72138a9fa09ec5ef67015aaaed4d92e4b723bfe6560b5f02fde87eaa4170c899
Instruction Fuzzy Hash: CA31F477E413008F9708DF79DD8556A7AA2EB86304B4FC2BDC4956B31ADB3888068B95

Function 024A9A63 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fcc9fe04a2c3243c31a881698cc006d7ffd455b6d76df720a81834ef6a7e64
Instruction ID: 429f1b92f416b78443b47d7317e2b6c7722cc13a9a7381cce1570fdf98950c59
Opcode Fuzzy Hash: 27fcc9fe04a2c3243c31a881698cc006d7ffd455b6d76df720a81834ef6a7e64
Instruction Fuzzy Hash: 2A21B1357452919BEB28CF58C9A1A7F7762EB5A718F18923FC80367BA5C3209C41C788

Function 024BB1C5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72138a9fa09ec5ef67015aaaed4d92e4b723bfe6560b5f02fde87eaa4170c899
Instruction ID: 213ac91b0891b9e894b79aa0c6d06a3c9f8936731f81993a47778008adeaa5fc
Opcode Fuzzy Hash: 72138a9fa09ec5ef67015aaaed4d92e4b723bfe6560b5f02fde87eaa4170c899
Instruction Fuzzy Hash: 4F310377E413404F9708DF79D98556A7A92EB82204B4FC2FDC8856B32ADB3488068BA1

Function 0042E1B4 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46470c4eb806b14f57ff8af83c7b3191451e421e9bc253fdff1b0da37b8dd406
Instruction ID: 4ea4806b83afaffb75b78730f6817ed6d329f40a3482af0af40c9bf3f673e34f
Opcode Fuzzy Hash: 46470c4eb806b14f57ff8af83c7b3191451e421e9bc253fdff1b0da37b8dd406
Instruction Fuzzy Hash: 5441B3726057818FD314CF3CC884756BBE2AB8A320F1986ADE4A9CB3D6C735E405CB44

Function 024AE41B Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46470c4eb806b14f57ff8af83c7b3191451e421e9bc253fdff1b0da37b8dd406
Instruction ID: b1020328c701f0cf9736808a6ab29931cf946749e22b122b422704f24914a565
Opcode Fuzzy Hash: 46470c4eb806b14f57ff8af83c7b3191451e421e9bc253fdff1b0da37b8dd406
Instruction Fuzzy Hash: 4141A3727057818FD315CF3CC894756BBE2AB8A324F1986ADE4A9CB3D6C635E445CB40

Function 0043B24F Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e694f290c8574ad202d4909eca8e9f6c7c08f0225a63baed6a4d137e98b18e3b
Instruction ID: c5f62e22b240d130b7ea6473cf2eafd4c6e78225e942b60a5111896fd1e01f0b
Opcode Fuzzy Hash: e694f290c8574ad202d4909eca8e9f6c7c08f0225a63baed6a4d137e98b18e3b
Instruction Fuzzy Hash: A03104B3B5050257D71CCB3ADC632AB6AC3ABDA20871ED13EC456D7759EA3C98114AC8

Function 024BB4B6 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e694f290c8574ad202d4909eca8e9f6c7c08f0225a63baed6a4d137e98b18e3b
Instruction ID: 2e887d996e6633bd242efe64e23f5c01a388bea4719eda2f3fa0da9d575888ee
Opcode Fuzzy Hash: e694f290c8574ad202d4909eca8e9f6c7c08f0225a63baed6a4d137e98b18e3b
Instruction Fuzzy Hash: 1431F6B3F505015BD71DCB3ECC632A76AC3ABDA20832ED13EC857D7758EA3898114A94

Function 00408200 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526fce0d933c0c958359def3e28f886df789945ed11e346dcf9c4948ad01597e
Instruction ID: eb7174127bcf833fae2a154ed7ec673e991b3f561a480f387dacf63925d2bc47
Opcode Fuzzy Hash: 526fce0d933c0c958359def3e28f886df789945ed11e346dcf9c4948ad01597e
Instruction Fuzzy Hash: BB31E93694DAA246C336892D84E0579BE90AA9721531943FEDCF15F3C3C825898AD3E5

Function 02488467 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526fce0d933c0c958359def3e28f886df789945ed11e346dcf9c4948ad01597e
Instruction ID: fa8ab09960a10b353073ac2c9378e483ec3e07d2d6267a791cfeed4edbbeabb2
Opcode Fuzzy Hash: 526fce0d933c0c958359def3e28f886df789945ed11e346dcf9c4948ad01597e
Instruction Fuzzy Hash: E8312B2295D2F64AC336C93D84E057EBF91AA5711435943FED8F14F383D611858AC3E0

Function 024A9E63 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cec658ecc5dd26b58c7d74e61614fefba114359199db40c867434081fe00fc
Instruction ID: 824414cc5ccc00e4f7cfbe1e6144db3d30f2459bc1e9b8e3dc09a93dc5b8a586
Opcode Fuzzy Hash: d4cec658ecc5dd26b58c7d74e61614fefba114359199db40c867434081fe00fc
Instruction Fuzzy Hash: 8521D67574521087DB38CF14DAA163FB7A1DB9A71CF18963ED8565BA96C320CC01CA4D

Function 0248A0A7 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613f3ee8998684b13fb499731a3423b19704c9ffa01a7396155ed73d596b650c
Instruction ID: 4b0739352c437608b3a6a6f339d6b6d6e5e1b0216b100cf8f7fedba7c250c3f8
Opcode Fuzzy Hash: 613f3ee8998684b13fb499731a3423b19704c9ffa01a7396155ed73d596b650c
Instruction Fuzzy Hash: 6D31C171E402588BDB288F698C467EFBB71EB49300F0480BED589E7341C73889458BA5

Function 0041654C Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e14aa64a3e9f13f608f7dc9017ad607f1dd168dddae841322742039607c22e5d
Instruction ID: 60ac1c053ff6f5726b67605628bc915d77a497f370d72bc8616a0f5cfa733018
Opcode Fuzzy Hash: e14aa64a3e9f13f608f7dc9017ad607f1dd168dddae841322742039607c22e5d
Instruction Fuzzy Hash: 6521D336A443008BC7248F69CC817ABB7D2EBCA314F2A463ED5C9D7251D778D841C649

Function 024967B3 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4587c2ecc2f3ddddb01a7764ed472af0ba154f71f7279b6dcb025695bed21092
Instruction ID: 25d79dd9a4f7f4c24dee70dec36b1fe0bdde973ef2573f0470dc83706dabf98b
Opcode Fuzzy Hash: 4587c2ecc2f3ddddb01a7764ed472af0ba154f71f7279b6dcb025695bed21092
Instruction Fuzzy Hash: B0210076A453408BCB24CF69CC807ABB7E2EBCA314F1A463ED9C9D7291D778D841CA01

Function 0041646C Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54e7ec3da58e8845c43b3d00e90085a623ddb3d1b25f510270df16f3e4126489
Instruction ID: 6116a2d1e320b55b86b9137b5dc92aa67d4c70ad86fb436a10a0d932fa1e9d1e
Opcode Fuzzy Hash: 54e7ec3da58e8845c43b3d00e90085a623ddb3d1b25f510270df16f3e4126489
Instruction Fuzzy Hash: B821D537F603205BC724CE699C813E77292AB4A704F1A423DDDC9E7295E768ED41C289

Function 024966D3 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c506cce531e3919c04615988c81e08a45edb472708009f493803a8171ad28bf9
Instruction ID: b8ab07bf59500d98c2dadf3f33f6480657741df94a2bf6e0e17724bd0924d480
Opcode Fuzzy Hash: c506cce531e3919c04615988c81e08a45edb472708009f493803a8171ad28bf9
Instruction Fuzzy Hash: 3D216A7BF607204BCB24CE688CC13A776D5AB8A704F0A423DDCC9E7281D7699C01C280

Function 00415513 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1946ca2bbd12bddd241c0a76d2c3c7c61b346810e561e8bd3751e495153b4f2d
Instruction ID: 5bc7ccfd386dcb4296d2398401a9150d99952967e874be6b4c8a23cb9b834f77
Opcode Fuzzy Hash: 1946ca2bbd12bddd241c0a76d2c3c7c61b346810e561e8bd3751e495153b4f2d
Instruction Fuzzy Hash: 4021DEB0508750DBE6209F289811BEF72B1FF92715F041A6DE4899B3A2E7799840C78A

Function 02495779 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2275ce5365105d403d9a66360061be74ee1a5e49809a3b3333750a93a583a311
Instruction ID: 0113656df70cc90e0d9adac76a2811c57c119532334bdf8a059d0fad8e0f3503
Opcode Fuzzy Hash: 2275ce5365105d403d9a66360061be74ee1a5e49809a3b3333750a93a583a311
Instruction Fuzzy Hash: 472103B0809350CBEB31DF288815BAF77A0FF82314F141A5DD4C99B391E3768411CB56

Function 00427C84 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52c3bf9f5a5efdb19346225772971d12d0746489be15d1a80e8ada0fe11dcfa
Instruction ID: d8a42283624192fd00c70810cd93925113604e3a9b5ae13cb25c0ab33698ef07
Opcode Fuzzy Hash: f52c3bf9f5a5efdb19346225772971d12d0746489be15d1a80e8ada0fe11dcfa
Instruction Fuzzy Hash: 2E21C1B5A1D7609FD300CF29E88126BFBE5EBDA314F04197EF88897351C674C8018B8A

Function 00427F98 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1815895b3ee1a8b0d0e82f1f09e7557fce07276a0602ed728ce9ce91208926f
Instruction ID: e31789ee96b8156ff317fdc3fe00b62fef8a8e36be4ff9a6539a2de879fd481c
Opcode Fuzzy Hash: a1815895b3ee1a8b0d0e82f1f09e7557fce07276a0602ed728ce9ce91208926f
Instruction Fuzzy Hash: C621CFB5A1D7609FD3008F29E88026BFBE5EBDA314F04196EE88897351C674C8018B8A

Function 024B793B Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d6e0d20ea5ed18a83fb086c03f92196700e3944fcc106dcf555f132838b900
Instruction ID: 60f024efd44d2e6fc23bbfe8aea1059c62542ca13f1396ea2c1ed1c2aa78175f
Opcode Fuzzy Hash: 98d6e0d20ea5ed18a83fb086c03f92196700e3944fcc106dcf555f132838b900
Instruction Fuzzy Hash: B40104B46082009BFB218F24D985A6BF7E6AFCE714F249539E58493296D730C8068B66

Function 004345A0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4e212b40f6247f64a96a6c6a82f5b24c392c63bde34047d35283fee070a640f0
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: A6112933E041D00EC3128D3C84005E5BFA30AD7635F1D539AF4B49B2D2D62A9D8A8369

Function 024B4807 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b9746229de7133d23b5eafdc18fbbb0e292231a457f1729aff78e2d2777f5329
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: B0118237A051E40EC7178D3C88106A5BFE30E93579F59839AE4F89B2D3D622898A8375

Function 0042A6E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a9d28b8410449be80ff4f21780ad3af697dfe933338f5009d46074fdc8dd2d
Instruction ID: 4946d911e0b967195e1a1348c3e762d4d5861f407a6e511d0cf075644ec4ee40
Opcode Fuzzy Hash: 27a9d28b8410449be80ff4f21780ad3af697dfe933338f5009d46074fdc8dd2d
Instruction Fuzzy Hash: 8601B5F570072147D720AE15A9C1B2BB2B85F84708F09443EDC445B342DB7DEC25C6AE

Function 024AA947 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec6be425556fec8f277c0619acdefb927ff7fe72506ef8785dc4fd138ac51b1
Instruction ID: b8b3ef734e04a120de4063fdecf3e6166ab5139654273e7cf6482d76938e7094
Opcode Fuzzy Hash: eec6be425556fec8f277c0619acdefb927ff7fe72506ef8785dc4fd138ac51b1
Instruction Fuzzy Hash: 5801D4F160031187DB20AE1685E0B3BB2BD7FA4704F49092EC94947300DB73E805DAA1

Function 00AFACFB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589369716.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afa000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: e4f8ee1d621a80ec8badd0d0a00f33920c8f190facea57e5ac8dafd1ac7df879
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 0E117CB2340104AFDB54DF95DC81FE673EAEB98361B298065FE08CB716D675E841CB60

Function 00402BB0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47dd75b824af557070aa165d9e90635b37dc6a842820a7a20072053da30c57e
Instruction ID: 7626f5b568e4065c2fb8e2b8e8aa78560fe75fc35cb0466549d2504da6eac03c
Opcode Fuzzy Hash: f47dd75b824af557070aa165d9e90635b37dc6a842820a7a20072053da30c57e
Instruction Fuzzy Hash: 8DF02837B092060BE314DC699CC092BB393EBCA314B1D853DDA50E77C4D975E9078294

Function 02482E17 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47dd75b824af557070aa165d9e90635b37dc6a842820a7a20072053da30c57e
Instruction ID: 474d67ba72bc0e168bf0a7bd024094e3309ee85eb553af1304bc3098ada1efb0
Opcode Fuzzy Hash: f47dd75b824af557070aa165d9e90635b37dc6a842820a7a20072053da30c57e
Instruction Fuzzy Hash: 32F02837B192460BA314EC69ACC092BB393E7CA218B1D8139DD94C7344DA71E806C294

Function 024A7F03 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1204311fc035cb25bb6fc155322403387724d3fc86fa9ddf3fa414eeedb1169a
Instruction ID: 9a554c3a3e9927397f099b989646af264f801ba2953db687d4f9f2239230277a
Opcode Fuzzy Hash: 1204311fc035cb25bb6fc155322403387724d3fc86fa9ddf3fa414eeedb1169a
Instruction Fuzzy Hash: 790187B49297909FD310DF29C88066BFFE6ABD9314F045A2DE4C897355C774C8018B46

Function 02480D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 34064763689ac3de6fc2931be55773beff4606bcf56ef1d504eadd77b2d196bf
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 2E01F272A306008FDF21EF20C905BBF33E5FB86306F0550A6D90A97381E370A8498B80

Function 004463BF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1588605643.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1588605643.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_davies.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd02fea2be03806e068e59b8698e1319399c6fd873d9cdfbb5691a6de493a739
Instruction ID: bb1c42fd17f77c0c5d6c8d3d945b94149fecf02fba7bb576b783b8d7776c9c33
Opcode Fuzzy Hash: fd02fea2be03806e068e59b8698e1319399c6fd873d9cdfbb5691a6de493a739
Instruction Fuzzy Hash: A4F0922998D7D52FDF929B3480205B3BFF45E1BB1832DA1CDC6C009636C51A4C03E702

Function 024B846B Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7658153dd2cad37445cca36289dd225f24cca9487680dd6027cd2bc73d16bc52
Instruction ID: 5514461475797ebc623d4819ab24d98f03cebddba27536f847cf80dbbfd04f1b
Opcode Fuzzy Hash: 7658153dd2cad37445cca36289dd225f24cca9487680dd6027cd2bc73d16bc52
Instruction Fuzzy Hash: 05D0C9B6864601CBC7115F14DC5267BB6F4FF17300F476459D481AB360F3358954975A

Function 024A9A0A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e56c738880d6b79f0be6cb46f0ff7170fcfc443a86d7d37cb23f9a4d49323c
Instruction ID: fcd5ba57132a13dcf1f4b4955f4d1ab7045491880f7fe4bddd9055e7a3d216f7
Opcode Fuzzy Hash: e7e56c738880d6b79f0be6cb46f0ff7170fcfc443a86d7d37cb23f9a4d49323c
Instruction Fuzzy Hash: CAB092E1C56414CA9121BB252E014AEB0262D13300F842136C90622200A757E25A589F

Function 024AA4F5 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c7213db73a451e2f02a279a88521ba23eec33850603c1695e588c42bfadd95
Instruction ID: df1d4bdd6fef6ba318edaaf011329d8a5f664013a96d9e3a28b4520e588feb4f
Opcode Fuzzy Hash: 91c7213db73a451e2f02a279a88521ba23eec33850603c1695e588c42bfadd95
Instruction Fuzzy Hash: 70B011E8C088808A8000EF08B800ABAA238AA0B200F803020C008A3200E202F2288A8E

Function 024B2157 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 024B2167
GetWindowLongW.USER32 ref: 024B218C
GetClipboardData.USER32 ref: 024B219C
GlobalLock.KERNEL32 ref: 024B21B5
GlobalUnlock.KERNEL32 ref: 024B22A2
CloseClipboard.USER32 ref: 024B22AB

Strings

3, xrefs: 024B2203
%, xrefs: 024B221C
,, xrefs: 024B2217
, xrefs: 024B2212
], xrefs: 024B21FE
), xrefs: 024B2208
i, xrefs: 024B222B
", xrefs: 024B2226

Memory Dump Source

Source File: 00000000.00000002.1589750159.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_davies.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: $"$%$)$,$3$]$i
API String ID: 2832541153-1573611430
Opcode ID: 5d62201db40e72d17096051cffeee7247bf7bd506d0ec61628c4f34f18256801
Instruction ID: 3d18f6d4a94fd0a92b2bd04679f1dbe09425da394c65380552806aa7c89b62bc
Opcode Fuzzy Hash: 5d62201db40e72d17096051cffeee7247bf7bd506d0ec61628c4f34f18256801
Instruction Fuzzy Hash: CE414F7150C3808ED301EFB8D48839EBFE1AF95308F04496DE9C58B282D6B9858CD767

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report davies.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_davies.exe_29fd3e8dcedd613489effaa59241548738ccf_5c1024ad_96061568-cc38-4712-b8f8-57b6107eb496\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER247D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER25F5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26B2.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
davies.exe

Function 0040B406 Relevance: 9.2, Strings: 7, Instructions: 454
COMMON

Function 004089E0 Relevance: 6.1, APIs: 4, Instructions: 99
threadCOMMON

Function 0040BCF7 Relevance: 3.8, Strings: 3, Instructions: 88
COMMON

Function 00AFB41E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0043B540 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0248003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 02480E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0043C20A Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 0043B4E0 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 00439A90 Relevance: 1.5, APIs: 1, Instructions: 22
memoryCOMMON

Function 0043C3DD Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Function 00439A70 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON