Edit tour

Windows Analysis Report
H5JVfa61AV.exe

Overview

General Information

Sample name:	H5JVfa61AV.exe renamed because original name is a hash value
Original sample name:	51ef0857b9daf63e70a43735afb0e529.exe
Analysis ID:	1589507
MD5:	51ef0857b9daf63e70a43735afb0e529
SHA1:	6a5a8f37d20d79c10c94f63070b18b072b14c9ad
SHA256:	f0e521f73d8de6759a1d88948a7ecc0d2b0e609ac802cd2f87d8ee36c801a38d
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

H5JVfa61AV.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\H5JVfa61AV.exe" MD5: 51EF0857B9DAF63E70A43735AFB0E529)

WerFault.exe (PID: 7904 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["apporholis.shop", "femalsabler.shop", "soundtappysk.shop", "handscreamny.shop", "chipdonkeruz.shop", "versersleep.shop", "skidjazzyric.click", "crowdwarek.shop", "robinsharez.shop"], "Build id": "4h5VfH--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1494574605.0000000000569000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xf88:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:05.332158+0100	2028371	3	Unknown Traffic	192.168.2.8	49706	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:04.572530+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.8	53068	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:04.607082+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.8	57617	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:04.583039+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.8	62207	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:04.486068+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.8	59707	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:04.629090+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.8	51428	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:04.640048+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.8	53200	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:04.456839+0100	2059088	1	Domain Observed Used for C2 Detected	192.168.2.8	56031	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:04.473715+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.8	49599	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:04.597777+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.8	63505	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:40:05.845426+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.8	49706	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: H5JVfa61AV.exe

Avira: detected

Found malware configuration

Source: 0.2.H5JVfa61AV.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["apporholis.shop", "femalsabler.shop", "soundtappysk.shop", "handscreamny.shop", "chipdonkeruz.shop", "versersleep.shop", "skidjazzyric.click", "crowdwarek.shop", "robinsharez.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: H5JVfa61AV.exe	Virustotal: Detection: 40%			Perma Link
Source: H5JVfa61AV.exe	ReversingLabs: Detection: 62%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: H5JVfa61AV.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: robinsharez.shop
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: handscreamny.shop
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: versersleep.shop
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: crowdwarek.shop
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: apporholis.shop
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: femalsabler.shop
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: soundtappysk.shop
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: skidjazzyric.click
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4h5VfH--

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Unpacked PE file: 0.2.H5JVfa61AV.exe.400000.0.unpack

Source: H5JVfa61AV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, edx	0_2_0040B2B0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_00419840
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_0040A05C
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00427070
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_0043B870
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov edx, ecx	0_2_0043B870
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042D830
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_0043F0E0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B882
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then jmp eax	0_2_004418A0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B173
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0042B170
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041A900
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B184
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then test esi, esi	0_2_0043C9A0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_0041B243
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EA62
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00402210
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_0040AA32
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_00425AF0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_00428280
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0041F2A0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ebx, eax	0_2_00405AB0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ebp, eax	0_2_00405AB0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EB5F
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042BB00
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041BB21
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441B20
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041AB2A
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_0040C334
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	0_2_0040C3EC
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ebx, edx	0_2_0042DBF0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then jmp ecx	0_2_0040D334
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00422380
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_0041BBA0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_0042BBA0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EBA1
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_00440BAB
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EBB3
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441BB0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441C40
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_00442470
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00426C76
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov eax, edi	0_2_0041C400
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00417405
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_00417405
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov edx, ecx	0_2_00417405
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00414C20
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_0044042D
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_0044042D
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041B484
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00427490
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00425D6A
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00438520
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_00442D20
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then push edi	0_2_0043C5A0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_0043C5A0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0042B652
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041B667
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	0_2_00418672
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00409E09
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407620
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407620
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then jmp ecx	0_2_0040CEC7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_00416ED0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_0041BEE1
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041AEFF
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov esi, ecx	0_2_00415720
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_00415720
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_0040DFE2
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0040DFE2
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_00408F90
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_004427B0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_0210E249
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0210E249
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_0210A2C3
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_0213F347
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0211B3DA
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0211B3EB
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0210A070
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov esi, ecx	0_2_021160EF
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_02117137
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then jmp ecx	0_2_0210D12E
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_0211C148
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0211B166
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_021091F7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_021421EA
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then jmp ecx	0_2_0210D59B
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov eax, edi	0_2_0211C667
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_02140694
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_02140694
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_021426D7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_021276F7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0211B6EB
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0211773F
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02138787
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_02102477
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_0211B4AA
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_021284E7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0211F507
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_0210C59B
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_021225E7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_02142A17
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, edx	0_2_0210BA6C
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0212DA97
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_02119AA7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_0213BAD7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov edx, ecx	0_2_0213BAD7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_02117AE4
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov edx, ecx	0_2_02117AE4
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0211BAE9
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0211AB67
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_02126BA7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then push edi	0_2_0213C807
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_0213C807
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	0_2_02118809
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_02107887
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_02107887
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0212B8B5
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_021158FA
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_02140E12
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0212EE1A
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_0212BE07
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0212EE08
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_0211BE2C
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ebx, edx	0_2_0212DE57
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_02142F87
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then test esi, esi	0_2_0213CC07
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then jmp eax	0_2_02141C3E
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_0210AC99
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0212ECC9
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ecx, eax	0_2_02116D15
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ebx, eax	0_2_02105D17
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ebp, eax	0_2_02105D17
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_02125D57
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0212BD67
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0211AD91
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0211BD88
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0212EDC6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.8:57617 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.8:59707 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.8:62207 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.8:49599 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059088 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click) : 192.168.2.8:56031 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.8:53200 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.8:53068 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.8:63505 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.8:51428 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.8:49706 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: skidjazzyric.click
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: robinsharez.shop

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /` /`Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=4a106fea8ede7873b678b81c; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 12 Jan 2025 16:40:05 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=4a106fea8ede7873b678b81c; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 12 Jan 2025 16:40:05 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: H5JVfa61AV.exe, 00000000.00000002.1494880587.000000000060A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: skidjazzyric.click
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000002.1494880587.000000000060A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: H5JVfa61AV.exe, 00000000.00000002.1494682311.00000000005B9000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/A
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: H5JVfa61AV.exe, 00000000.00000002.1494682311.00000000005B9000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000002.1494682311.00000000005DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900e
Source: H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000002.1494880587.000000000060A000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Code function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004367F0

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Code function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004367F0

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Code function: 0_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,

0_2_00436980

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1494574605.0000000000569000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00408880	0_2_00408880
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0040B2B0	0_2_0040B2B0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00419840	0_2_00419840
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00406850	0_2_00406850
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00427860	0_2_00427860
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00427070	0_2_00427070
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043B870	0_2_0043B870
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00406000	0_2_00406000
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043080E	0_2_0043080E
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043F820	0_2_0043F820
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041D0C0	0_2_0041D0C0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004418A0	0_2_004418A0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041194F	0_2_0041194F
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043F150	0_2_0043F150
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0042B170	0_2_0042B170
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00403900	0_2_00403900
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00425100	0_2_00425100
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00439923	0_2_00439923
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00427133	0_2_00427133
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00433930	0_2_00433930
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004121DB	0_2_004121DB
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0042A9F7	0_2_0042A9F7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0040E9B0	0_2_0040E9B0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041825B	0_2_0041825B
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0042EA62	0_2_0042EA62
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0040CA62	0_2_0040CA62
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00442A60	0_2_00442A60
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041DAD0	0_2_0041DAD0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00429ADE	0_2_00429ADE
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00425AF0	0_2_00425AF0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004092A0	0_2_004092A0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00405AB0	0_2_00405AB0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004042B0	0_2_004042B0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043CB40	0_2_0043CB40
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0042EB5F	0_2_0042EB5F
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00408360	0_2_00408360
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00428B67	0_2_00428B67
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00437B69	0_2_00437B69
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00402B20	0_2_00402B20
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00441B20	0_2_00441B20
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00432B24	0_2_00432B24
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004063C0	0_2_004063C0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0042DBF0	0_2_0042DBF0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00422380	0_2_00422380
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041BBA0	0_2_0041BBA0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0042BBA0	0_2_0042BBA0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0042EBA1	0_2_0042EBA1
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0042EBB3	0_2_0042EBB3
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00441BB0	0_2_00441BB0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00441C40	0_2_00441C40
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00442470	0_2_00442470
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00426C76	0_2_00426C76
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041D400	0_2_0041D400
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041C400	0_2_0041C400
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00417405	0_2_00417405
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00414C20	0_2_00414C20
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00432426	0_2_00432426
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00428437	0_2_00428437
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043443D	0_2_0043443D
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004354C4	0_2_004354C4
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00434CEF	0_2_00434CEF
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043A4EF	0_2_0043A4EF
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004374AB	0_2_004374AB
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041DCB0	0_2_0041DCB0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043ACB0	0_2_0043ACB0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0042FCBC	0_2_0042FCBC
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0040D545	0_2_0040D545
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00425D6A	0_2_00425D6A
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00435D13	0_2_00435D13
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00442D20	0_2_00442D20
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043CD27	0_2_0043CD27
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00420D90	0_2_00420D90
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0043C5A0	0_2_0043C5A0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00421E70	0_2_00421E70
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00436610	0_2_00436610
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00407620	0_2_00407620
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0040AE30	0_2_0040AE30
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041F6D0	0_2_0041F6D0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00416ED0	0_2_00416ED0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041BEE1	0_2_0041BEE1
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00402EF0	0_2_00402EF0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004186FC	0_2_004186FC
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00423EFF	0_2_00423EFF
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00431E8E	0_2_00431E8E
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041A690	0_2_0041A690
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00415720	0_2_00415720
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0041AF24	0_2_0041AF24
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00427F30	0_2_00427F30
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0040DFE2	0_2_0040DFE2
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004257E0	0_2_004257E0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00429FE4	0_2_00429FE4
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0040CFEC	0_2_0040CFEC
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00409790	0_2_00409790
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_004427B0	0_2_004427B0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00441FB0	0_2_00441FB0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0210D253	0_2_0210D253
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0210E249	0_2_0210E249
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02106267	0_2_02106267
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0212A305	0_2_0212A305
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0211D327	0_2_0211D327
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021273B2	0_2_021273B2
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0213F3B7	0_2_0213F3B7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02142017	0_2_02142017
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0210B097	0_2_0210B097
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021260B7	0_2_021260B7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021220D7	0_2_021220D7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021320F5	0_2_021320F5
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02103157	0_2_02103157
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0211C148	0_2_0211C148
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02124166	0_2_02124166
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02128197	0_2_02128197
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0211B18B	0_2_0211B18B
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02106627	0_2_02106627
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0211D667	0_2_0211D667
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0211C667	0_2_0211C667
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0213268D	0_2_0213268D
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021346A4	0_2_021346A4
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021426D7	0_2_021426D7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02137712	0_2_02137712
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0213572B	0_2_0213572B
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0213A756	0_2_0213A756
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0210D7AC	0_2_0210D7AC
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02112442	0_2_02112442
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021184C2	0_2_021184C2
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02104517	0_2_02104517
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02109507	0_2_02109507
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021085C7	0_2_021085C7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021225E7	0_2_021225E7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02142A17	0_2_02142A17
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02130A75	0_2_02130A75
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0213FA87	0_2_0213FA87
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02106AB7	0_2_02106AB7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02119AA7	0_2_02119AA7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0213BAD7	0_2_0213BAD7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02117AE4	0_2_02117AE4
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02108AE7	0_2_02108AE7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02103B67	0_2_02103B67
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02133B97	0_2_02133B97
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02139B8A	0_2_02139B8A
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02111BB6	0_2_02111BB6
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0213C807	0_2_0213C807
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02136877	0_2_02136877
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02107887	0_2_02107887
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0211A8F7	0_2_0211A8F7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0211F937	0_2_0211F937
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_021099F7	0_2_021099F7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0212EE1A	0_2_0212EE1A
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0212BE07	0_2_0212BE07
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0212EE08	0_2_0212EE08
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0212DE57	0_2_0212DE57
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02114E87	0_2_02114E87
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0213AF17	0_2_0213AF17
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0211DF17	0_2_0211DF17
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0212FF23	0_2_0212FF23
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02134F56	0_2_02134F56
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02135F7A	0_2_02135F7A
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02142F87	0_2_02142F87
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02120FF7	0_2_02120FF7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02117FFA	0_2_02117FFA
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0210EC17	0_2_0210EC17
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02142CC7	0_2_02142CC7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0210CCC9	0_2_0210CCC9
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0212ECC9	0_2_0212ECC9
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02105D17	0_2_02105D17
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0211DD37	0_2_0211DD37
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02102D87	0_2_02102D87
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02132D8B	0_2_02132D8B
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0213CDA7	0_2_0213CDA7
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02137DD0	0_2_02137DD0
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0212EDC6	0_2_0212EDC6

Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: String function: 00414C10 appears 116 times
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: String function: 021083D7 appears 77 times
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: String function: 02114E77 appears 116 times
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: String function: 00408170 appears 45 times

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 644

Source: H5JVfa61AV.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: H5JVfa61AV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1494574605.0000000000569000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: H5JVfa61AV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@10/1

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Code function: 0_2_00569FB6 CreateToolhelp32Snapshot,Module32First,

0_2_00569FB6

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Code function: 0_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

0_2_0043B870

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7732

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ca5202e2-eb12-4c06-bc84-6f914696efaf

Jump to behavior

Source: H5JVfa61AV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: H5JVfa61AV.exe	Virustotal: Detection: 40%
Source: H5JVfa61AV.exe	ReversingLabs: Detection: 62%

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

File read: C:\Users\user\Desktop\H5JVfa61AV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\H5JVfa61AV.exe "C:\Users\user\Desktop\H5JVfa61AV.exe"
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 644

Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Unpacked PE file: 0.2.H5JVfa61AV.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.jocu:W;.jirero:W;.janinu:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Unpacked PE file: 0.2.H5JVfa61AV.exe.400000.0.unpack

Source: H5JVfa61AV.exe	Static PE information: section name: .jocu
Source: H5JVfa61AV.exe	Static PE information: section name: .jirero
Source: H5JVfa61AV.exe	Static PE information: section name: .janinu

Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh	0_2_00441853
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0056C966 push ebx; ret	0_2_0056C967
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0056E93A pushad ; ret	0_2_0056E93B
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0056E9A5 pushfd ; ret	0_2_0056E9A6
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0056D50E push esi; retn 001Ch	0_2_0056D512
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0212B05A push ebp; iretd	0_2_0212B05D
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02141AB7 push eax; mov dword ptr [esp], 0E0908DBh	0_2_02141ABA

Source: H5JVfa61AV.exe

Static PE information: section name: .text entropy: 7.420962295438687

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\H5JVfa61AV.exe TID: 7820	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\H5JVfa61AV.exe TID: 7824	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: H5JVfa61AV.exe, 00000000.00000002.1494748538.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: H5JVfa61AV.exe, 00000000.00000003.1436295265.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436258307.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000002.1494665126.00000000005AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Code function: 0_2_004402C0 LdrInitializeThunk,

0_2_004402C0

Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_00569893 push dword ptr fs:[00000030h]	0_2_00569893
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_0210092B mov eax, dword ptr fs:[00000030h]	0_2_0210092B
Source: C:\Users\user\Desktop\H5JVfa61AV.exe	Code function: 0_2_02100D90 mov eax, dword ptr fs:[00000030h]	0_2_02100D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: H5JVfa61AV.exe	String found in binary or memory: robinsharez.shop
Source: H5JVfa61AV.exe	String found in binary or memory: handscreamny.shop
Source: H5JVfa61AV.exe	String found in binary or memory: chipdonkeruz.shop
Source: H5JVfa61AV.exe	String found in binary or memory: versersleep.shop
Source: H5JVfa61AV.exe	String found in binary or memory: crowdwarek.shop
Source: H5JVfa61AV.exe	String found in binary or memory: apporholis.shop
Source: H5JVfa61AV.exe	String found in binary or memory: femalsabler.shop
Source: H5JVfa61AV.exe	String found in binary or memory: soundtappysk.shop
Source: H5JVfa61AV.exe	String found in binary or memory: skidjazzyric.click

Source: C:\Users\user\Desktop\H5JVfa61AV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
H5JVfa61AV.exe	40%	Virustotal		Browse
H5JVfa61AV.exe	62%	ReversingLabs	Win32.Spyware.Stealc
H5JVfa61AV.exe	100%	Avira	HEUR/AGEN.1312567
H5JVfa61AV.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
femalsabler.shop	unknown	unknown	false	high
robinsharez.shop	unknown	unknown	false	high
soundtappysk.shop	unknown	unknown	false	high
crowdwarek.shop	unknown	unknown	false	high
versersleep.shop	unknown	unknown	false	high
skidjazzyric.click	unknown	unknown	false	high
chipdonkeruz.shop	unknown	unknown	false	high
apporholis.shop	unknown	unknown	false	high
handscreamny.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
robinsharez.shop	false	high
versersleep.shop	false	high
crowdwarek.shop	false	high
skidjazzyric.click	false	high
femalsabler.shop	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
soundtappysk.shop	false	high
apporholis.shop	false	high
handscreamny.shop	false	high
chipdonkeruz.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/?subsection=broadcasts	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000002.1494880587.000000000060A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/A	H5JVfa61AV.exe, 00000000.00000002.1494682311.00000000005B9000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/76561199724331900e	H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000002.1494682311.00000000005DA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.4.dr	false	high
https://store.steampowered.com/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	H5JVfa61AV.exe, 00000000.00000003.1435770515.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000002.1494880587.000000000060A000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436211779.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	H5JVfa61AV.exe, 00000000.00000003.1435677958.000000000063D000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1435677958.0000000000643000.00000004.00000020.00020000.00000000.sdmp, H5JVfa61AV.exe, 00000000.00000003.1436239246.0000000000646000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589507
Start date and time:	2025-01-12 17:39:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H5JVfa61AV.exe renamed because original name is a hash value
Original Sample Name:	51ef0857b9daf63e70a43735afb0e529.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 13 Number of non-executed functions: 235
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.31.73, 4.175.87.197
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:40:03	API Interceptor	4x Sleep call for process: H5JVfa61AV.exe modified
11:40:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	2EG0jAmtY6.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	x.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	176.113.115.170_3.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	4kN17cL4Tn.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	5tmmrpv3dn.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	2EG0jAmtY6.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	mNPTwHOuvT.exe	Get hash	malicious	Vidar	Browse	23.49.251.20
	res.mips.elf	Get hash	malicious	Unknown	Browse	184.85.6.161
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/	Get hash	malicious	Unknown	Browse	104.102.22.125
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	23.212.88.20
	x.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	176.113.115.170_3.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	2EG0jAmtY6.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	5vrRrFN56j.exe	Get hash	malicious	Bdaejec	Browse	104.102.49.254
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	installer_1.05_37.4.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	x.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	176.113.115.170_3.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_H5JVfa61AV.exe_c079c8b64396d0d72967da28d3d02fefd64b69c5_89c80047_e9df0b74-74fc-491d-adc2-2467fdf6c185\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9571143811721161
Encrypted:	false
SSDEEP:	96:pkb2SllDxHsLhBV57BYf9QXIDcQJc6tcEkcw3p+HbHg/8BRTf3Oy1E45WAU6NCUL:2RbxHghV03p+aju3RzuiFoZ24IO8e
MD5:	1A4EA9719641BFEDFFE06FF76B298803
SHA1:	6E7C31F1EDA544011CCFC93F04A92C2344C8DBF1
SHA-256:	4DFD0CD9304EC9DF1B033A9318E8A21D904B41525DA796AAF056374858385F15
SHA-512:	A7A1B966B7CE7BE80B9F0650F09C9A060D0824B7BC2A72A0B8352CCA45773FD21EA05FA9240AEEC5B971CAD4C2C198079456872906D30D7103B4A2B9B096BC95
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.1.7.3.6.0.5.8.7.1.6.5.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.1.7.3.6.0.6.8.0.9.1.6.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.d.f.0.b.7.4.-.7.4.f.c.-.4.9.1.d.-.a.d.c.2.-.2.4.6.7.f.d.f.6.c.1.8.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.e.f.a.e.a.4.-.3.9.a.7.-.4.d.5.4.-.8.8.8.7.-.4.5.8.1.6.d.2.7.0.6.c.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.5.J.V.f.a.6.1.A.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.3.4.-.0.0.0.1.-.0.0.1.4.-.2.f.7.6.-.e.9.9.f.1.0.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.f.7.3.5.9.4.3.2.7.3.0.4.f.3.2.9.b.8.0.7.6.1.1.e.7.0.3.6.f.f.2.0.0.0.0.f.f.f.f.!.0.0.0.0.6.a.5.a.8.f.3.7.d.2.0.d.7.9.c.1.0.c.9.4.f.6.3.0.7.0.b.1.8.b.0.7.2.b.1.4.c.9.a.d.!.H.5.J.V.f.a.6.1.A.V...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6DE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Jan 12 16:40:06 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	45480
Entropy (8bit):	2.5492262949581868
Encrypted:	false
SSDEEP:	192:zOD4hpXTI7nAOx1BmUcO65keCcwcA7tuyeLHjr4xq8nhBgB:dfI7nXTBmUcVCJKrX4McPg
MD5:	E1F678F8543E3698EFC7FCC7F9D38608
SHA1:	1270D75C2E0BADAF808C6E2F49B57FEEF4A05F42
SHA-256:	CCB3AA4CCFF1644CF29940869151F52C472C74B0DDBF993E8638D74A406A2674
SHA-512:	925F809A33337F65CF777B032BF8783D1CC0114D51B0DCE1F748497F6B3143443B41B99E4A423D701430DAF17717B9A571BC6C0A38549E8907EBA899ABD4987E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......f..g............4...............H...........<.......t....-..........`.......8...........T............?...r......................................................................................................eJ......t ......GenuineIntel............T.......4...a..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9CD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8310
Entropy (8bit):	3.6991881551400754
Encrypted:	false
SSDEEP:	192:R6l7wVeJOm6g3R6YSZSUHXgmfgZXMpDy89bQ7sf6Qm:R6lXJ/6g3R6YsSUHXgmfgZXKQAfM
MD5:	DEA5EAC27CB6154725D617EAF6187A78
SHA1:	BA2C13A6E272C61C62633DD76319F61CF006FA11
SHA-256:	AF1A5BEEF5A9EB5825B79EB6A80F03C97C54B83233303B30752FFAF4B5B80C83
SHA-512:	977C134D140E97BB9168D293E704190AE0A511ABD989C87D400D9AB52BF6D49B338279379390390A30C43827C5F3402BE22574D4B2E8C0CB9597F387CBD87602
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9EE.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.470937093181013
Encrypted:	false
SSDEEP:	48:cvIwWl8zsyJg77aI9DjUWpW8VYuYm8M4JWVF0+q8kd06wxad:uIjfAI7dN7ViJXr0Vxad
MD5:	D6494B5324AE90EFCFEBCB503291FD6C
SHA1:	3698DD0257AAB39FD16F0A09E2617BC7937A0AD3
SHA-256:	48DF6EAB7870F418AF2EF82A07F04D5CD9B7E9061BCEF347E6911B23CC01ED3B
SHA-512:	161CA0F7C11AF1353CC8041DD3837A60C99C02647C2EC041F7A08C027444297F90515EC7F8770DC43026D3A9F9D870C59FB89C39D5587AD50E7D4262CE36BFE0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="672942" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372048691801216
Encrypted:	false
SSDEEP:	6144:TFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNoiL:pV1QyWWI/glMM6kF7mq
MD5:	2DB749DD0D53C89CFE7BB179AF909970
SHA1:	120B1F11D6A659F20F6BDC5624269F5E233D7E34
SHA-256:	39333D9D97F83469F5A7E69CB339E0CCF4C0019465D84FF8B39BA0D5EF9AEB44
SHA-512:	4567577F7BB0A92AB88ACB72BE6D9E6F997E4BCFEDBA0C9DCE6EDAD5D449B14BD0AB00D8244E3573F3CC9278B90747E9F9E3F219694C5E9B904884CDFCBC9B75
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.<l..e................................................................................................................................................................................................................................................................................................................................................{.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.638430954651261
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	H5JVfa61AV.exe
File size:	415'232 bytes
MD5:	51ef0857b9daf63e70a43735afb0e529
SHA1:	6a5a8f37d20d79c10c94f63070b18b072b14c9ad
SHA256:	f0e521f73d8de6759a1d88948a7ecc0d2b0e609ac802cd2f87d8ee36c801a38d
SHA512:	28811fe8107c4df650deb5f36c3cca66cd7e4cd7788892f6f73c3cf2e1a5c28386b8ea7b585a25091d19c4db58f6572dec7d9ae5bee1af46aff79eef633fd2cd
SSDEEP:	6144:u+sTJImZfMNfbFHw+p/D64HAwXpZ6Tz5+r:uLJDUN5Q+sqx/6Tz0
TLSH:	68948D0226FDE9C0FBA74732AE3986E866EFBC615E34526D3154761F09723A0C46E713
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q4...g...g...g...g...g...g...g...g...g.Udg...g...g...g...g...g...g...g...g...gRich...g................PE..L....\|.e...........

File Icon


Icon Hash:	738733b18ba383e4

Static PE Info

General

Entrypoint:	0x40153a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65097CFE [Tue Sep 19 10:50:38 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b347e3571c18d9445a1ad9026f10528e

Entrypoint Preview

Instruction
call 00007F22C54A2C9Fh
jmp 00007F22C549F33Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00449598h], eax
mov dword ptr [00449594h], ecx
mov dword ptr [00449590h], edx
mov dword ptr [0044958Ch], ebx
mov dword ptr [00449588h], esi
mov dword ptr [00449584h], edi
mov word ptr [004495B0h], ss
mov word ptr [004495A4h], cs
mov word ptr [00449580h], ds
mov word ptr [0044957Ch], es
mov word ptr [00449578h], fs
mov word ptr [00449574h], gs
pushfd
pop dword ptr [004495A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044959Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004495A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004495ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004494E8h], 00010001h
mov eax, dword ptr [004495A0h]
mov dword ptr [0044949Ch], eax
mov dword ptr [00449490h], C0000409h
mov dword ptr [00449494h], 00000001h
mov eax, dword ptr [00448004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00448008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000B0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x46a6c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x19750	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x45000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x433fc	0x43400	be79edc1a249bc9cc659d9fde81e0fe1	False	0.8147254007899628	data	7.420962295438687	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x45000	0x23ae	0x2400	b3d287566e366b8ddca839d9ddfe17ae	False	0.3743489583333333	data	5.492839882421906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x48000	0x67c08	0x1600	129636f4ad0fb36fe9f931f912b50c94	False	0.28746448863636365	data	2.9007195437587012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.jocu	0xb0000	0x53e5	0x4800	f9debe3f07be68533bf0295e3d2ba68a	False	0.002224392361111111	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.jirero	0xb6000	0x15a	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.janinu	0xb7000	0xc	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x19750	0x19800	d51dd6361172a3de5f76f999a9f8c375	False	0.34060968137254904	data	4.471407457625777	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0xc8bb8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.31023454157782515
RT_CURSOR	0xc9a78	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7368421052631579
RT_CURSOR	0xc9ba8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.06130705394190871
RT_ICON	0xb8960	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.27185501066098083
RT_ICON	0xb9808	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4187725631768953
RT_ICON	0xba0b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5224654377880185
RT_ICON	0xba778	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5708092485549133
RT_ICON	0xbace0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4229253112033195
RT_ICON	0xbd288	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.49754098360655735
RT_ICON	0xbdc10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.5026595744680851
RT_ICON	0xbe0e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3243603411513859
RT_ICON	0xbef88	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.44765342960288806
RT_ICON	0xbf830	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5190092165898618
RT_ICON	0xbfef8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.536849710982659
RT_ICON	0xc0460	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.28822701688555347
RT_ICON	0xc1508	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.289344262295082
RT_ICON	0xc1e90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.34131205673758863
RT_ICON	0xc2360	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.2785181236673774
RT_ICON	0xc3208	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.36462093862815886
RT_ICON	0xc3ab0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.3790322580645161
RT_ICON	0xc4178	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.36921965317919075
RT_ICON	0xc46e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2590248962655602
RT_ICON	0xc6c88	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.274624765478424
RT_ICON	0xc7d30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.28647540983606556
RT_ICON	0xc86b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3262411347517731
RT_STRING	0xcc330	0x59a	data	0.4309623430962343
RT_STRING	0xcc8d0	0xfc	data	0.5515873015873016
RT_STRING	0xcc9d0	0x788	data	0.42012448132780084
RT_STRING	0xcd158	0x784	data	0.4287941787941788
RT_STRING	0xcd8e0	0x726	data	0.42568306010928963
RT_STRING	0xce008	0x644	data	0.4389027431421446
RT_STRING	0xce650	0x6bc	data	0.4274941995359629
RT_STRING	0xced10	0x7f2	data	0.41297935103244837
RT_STRING	0xcf508	0x786	data	0.4221183800623053
RT_STRING	0xcfc90	0x5ce	data	0.43943472409152085
RT_STRING	0xd0260	0x554	data	0.45234604105571846
RT_STRING	0xd07b8	0x60c	data	0.4412144702842377
RT_STRING	0xd0dc8	0x81c	data	0.41570327552986513
RT_STRING	0xd15e8	0x162	data	0.5169491525423728
RT_ACCELERATOR	0xc8b98	0x20	data	1.15625
RT_GROUP_CURSOR	0xc9a60	0x14	data	1.25
RT_GROUP_CURSOR	0xcc150	0x22	data	1.088235294117647
RT_GROUP_ICON	0xbe078	0x68	data	0.7115384615384616
RT_GROUP_ICON	0xc8b20	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xc22f8	0x68	data	0.7115384615384616
RT_VERSION	0xcc178	0x1b8	COM executable for DOS	0.5772727272727273

Imports

DLL

Import

KERNEL32.dll

SearchPathW, SetThreadContext, DeleteTimerQueueEx, DebugActiveProcessStop, CreateProcessW, SetWaitableTimer, GetConsoleAliasA, InterlockedDecrement, SetDefaultCommConfigW, SetComputerNameW, GetProcessPriorityBoost, GetModuleHandleW, GetCurrentThread, GetEnvironmentStrings, GlobalAlloc, LoadLibraryW, GetSystemTimeAdjustment, GetVersionExW, GetTimeFormatW, GetAtomNameW, GetVolumePathNameA, GetStartupInfoW, RaiseException, Module32First, SetLastError, GetProcAddress, GetLongPathNameA, SetFileAttributesA, LoadLibraryA, InterlockedExchangeAdd, MoveFileA, AddAtomA, FoldStringA, SetLocaleInfoW, OpenFileMappingW, GetFileTime, FindFirstVolumeA, FindAtomW, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, Sleep, ExitProcess, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, SetStdHandle, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, CreateFileA, CloseHandle, HeapSize, GetModuleHandleA

USER32.dll

GetProcessDefaultLayout

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T17:40:04.456839+0100	2059088	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)	1	192.168.2.8	56031	1.1.1.1	53	UDP
2025-01-12T17:40:04.473715+0100	2059051	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)	1	192.168.2.8	49599	1.1.1.1	53	UDP
2025-01-12T17:40:04.486068+0100	2059041	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)	1	192.168.2.8	59707	1.1.1.1	53	UDP
2025-01-12T17:40:04.572530+0100	2059035	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)	1	192.168.2.8	53068	1.1.1.1	53	UDP
2025-01-12T17:40:04.583039+0100	2059039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)	1	192.168.2.8	62207	1.1.1.1	53	UDP
2025-01-12T17:40:04.597777+0100	2059057	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)	1	192.168.2.8	63505	1.1.1.1	53	UDP
2025-01-12T17:40:04.607082+0100	2059037	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)	1	192.168.2.8	57617	1.1.1.1	53	UDP
2025-01-12T17:40:04.629090+0100	2059043	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)	1	192.168.2.8	51428	1.1.1.1	53	UDP
2025-01-12T17:40:04.640048+0100	2059049	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)	1	192.168.2.8	53200	1.1.1.1	53	UDP
2025-01-12T17:40:05.332158+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49706	104.102.49.254	443	TCP
2025-01-12T17:40:05.845426+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.8	49706	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:40:04.666521072 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:04.666565895 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:04.666697025 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:04.670128107 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:04.670146942 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.332082033 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.332158089 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.334563971 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.334578991 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.335061073 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.375253916 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.388772964 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.431329012 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.845601082 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.845659971 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.845702887 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.845711946 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.845711946 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.845722914 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.845746994 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.845774889 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.845796108 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.845819950 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.845904112 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.845904112 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.931401968 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.931468964 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.931493044 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.931513071 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.931535006 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.931641102 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.932549953 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.932585001 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.932780027 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.932789087 CET	443	49706	104.102.49.254	192.168.2.8
Jan 12, 2025 17:40:05.932881117 CET	49706	443	192.168.2.8	104.102.49.254
Jan 12, 2025 17:40:05.932884932 CET	443	49706	104.102.49.254	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:40:04.456839085 CET	56031	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.468112946 CET	53	56031	1.1.1.1	192.168.2.8
Jan 12, 2025 17:40:04.473715067 CET	49599	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.482745886 CET	53	49599	1.1.1.1	192.168.2.8
Jan 12, 2025 17:40:04.486068010 CET	59707	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.569005013 CET	53	59707	1.1.1.1	192.168.2.8
Jan 12, 2025 17:40:04.572530031 CET	53068	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.581403017 CET	53	53068	1.1.1.1	192.168.2.8
Jan 12, 2025 17:40:04.583039045 CET	62207	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.592416048 CET	53	62207	1.1.1.1	192.168.2.8
Jan 12, 2025 17:40:04.597776890 CET	63505	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.604996920 CET	53	63505	1.1.1.1	192.168.2.8
Jan 12, 2025 17:40:04.607081890 CET	57617	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.617234945 CET	53	57617	1.1.1.1	192.168.2.8
Jan 12, 2025 17:40:04.629090071 CET	51428	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.637506008 CET	53	51428	1.1.1.1	192.168.2.8
Jan 12, 2025 17:40:04.640048027 CET	53200	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.649172068 CET	53	53200	1.1.1.1	192.168.2.8
Jan 12, 2025 17:40:04.652563095 CET	57812	53	192.168.2.8	1.1.1.1
Jan 12, 2025 17:40:04.659832001 CET	53	57812	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2025 17:40:04.456839085 CET	192.168.2.8	1.1.1.1	0x9e26	Standard query (0)	skidjazzyric.click	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.473715067 CET	192.168.2.8	1.1.1.1	0xebbc	Standard query (0)	soundtappysk.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.486068010 CET	192.168.2.8	1.1.1.1	0xe1a7	Standard query (0)	femalsabler.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.572530031 CET	192.168.2.8	1.1.1.1	0xeee4	Standard query (0)	apporholis.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.583039045 CET	192.168.2.8	1.1.1.1	0xa863	Standard query (0)	crowdwarek.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.597776890 CET	192.168.2.8	1.1.1.1	0xb1b	Standard query (0)	versersleep.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.607081890 CET	192.168.2.8	1.1.1.1	0x7a9b	Standard query (0)	chipdonkeruz.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.629090071 CET	192.168.2.8	1.1.1.1	0x46fc	Standard query (0)	handscreamny.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.640048027 CET	192.168.2.8	1.1.1.1	0xb7b3	Standard query (0)	robinsharez.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.652563095 CET	192.168.2.8	1.1.1.1	0x3082	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 17:40:04.468112946 CET	1.1.1.1	192.168.2.8	0x9e26	Name error (3)	skidjazzyric.click	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.482745886 CET	1.1.1.1	192.168.2.8	0xebbc	Name error (3)	soundtappysk.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.569005013 CET	1.1.1.1	192.168.2.8	0xe1a7	Name error (3)	femalsabler.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.581403017 CET	1.1.1.1	192.168.2.8	0xeee4	Name error (3)	apporholis.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.592416048 CET	1.1.1.1	192.168.2.8	0xa863	Name error (3)	crowdwarek.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.604996920 CET	1.1.1.1	192.168.2.8	0xb1b	Name error (3)	versersleep.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.617234945 CET	1.1.1.1	192.168.2.8	0x7a9b	Name error (3)	chipdonkeruz.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.637506008 CET	1.1.1.1	192.168.2.8	0x46fc	Name error (3)	handscreamny.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.649172068 CET	1.1.1.1	192.168.2.8	0xb7b3	Name error (3)	robinsharez.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:40:04.659832001 CET	1.1.1.1	192.168.2.8	0x3082	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	104.102.49.254	443	7732	C:\Users\user\Desktop\H5JVfa61AV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-12 16:40:05 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-12 16:40:05 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 12 Jan 2025 16:40:05 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=4a106fea8ede7873b678b81c; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-12 16:40:05 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-12 16:40:05 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	11:40:01
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\H5JVfa61AV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H5JVfa61AV.exe"
Imagebase:	0x400000
File size:	415'232 bytes
MD5 hash:	51EF0857B9DAF63E70A43735AFB0E529
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1494574605.0000000000569000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:40:05
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 644
Imagebase:	0x260000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	33.3%
Signature Coverage:	31.2%
Total number of Nodes:	96
Total number of Limit Nodes:	6

Executed Functions

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004088A4
GetCurrentThreadId.KERNEL32 ref: 004088AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
GetForegroundWindow.USER32 ref: 0040896A
ExitProcess.KERNEL32 ref: 00408AB7

Strings

6W01, xrefs: 004089B5

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6C(], xrefs: 0040B382
Bc*}, xrefs: 0040B3C6
?_oY, xrefs: 0040B389
@w@q, xrefs: 0040B3E4
fWpQ, xrefs: 0040B397
`/(), xrefs: 0040B588
K{Du, xrefs: 0040B3DA

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84

Function 00569FB6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00569FDE
Module32First.KERNEL32(00000000,00000224), ref: 00569FFE

Memory Dump Source

Source File: 00000000.00000002.1494574605.0000000000569000.00000040.00000020.00020000.00000000.sdmp, Offset: 00569000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_569000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: c4a78c7fc1a0d82fba8d5e7abd699d217469cd0ef82ba1a182390b9cd46808a5
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 6AF06236200715ABD7213AB5988DA6BBAECBF89725F100528F647D25C0DA70EC454A61

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 0040AA37
MO, xrefs: 0040A9CF

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69

Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0210003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0210024D

Strings

cess, xrefs: 0210018D
kernel32.dll, xrefs: 0210008F, 02100095

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: aad6ab16f8a28cd0eb1489dbc57eebdc88624be26de041bf3cadf3bec6a1f088
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: F4525974A01229DFDB64CF58C984BACBBB1BF09304F1580E9E54DAB391DB70AA95CF14

Function 02100E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02100223,?,?), ref: 02100E19
SetErrorMode.KERNELBASE(00000000,?,?,02100223,?,?), ref: 02100E1E

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: d5591706dddec6dc70c020a45b27ca906bb1356f428d6b1f08c8c78c4e708908
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 05D0123114512877D7002A94DC09BCD7B1CDF09B66F108011FB0DE9080C7B0954046E5

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B9C7,00000000,00000001), ref: 00440292

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
Instruction ID: c7e132dbbf166c87dd4ca7ba8e526d96017081e21b1d4d371130b4eff19db060
Opcode Fuzzy Hash: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
Instruction Fuzzy Hash: C3E02B32404310ABD2026F397C06B177674EFC6715F05087AF50156151DB38F811C5DE

Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 0040AB46

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction ID: 8daa5b18d499817a70b2f557c0c6df6f58e6f2abf740e83111143c9212bc1643
Opcode Fuzzy Hash: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction Fuzzy Hash: 0AE02B7A5D5104BBF2486751FD4FC563616BB4330AB08413DFC185017BD6511426C66A

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8

Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004404BF

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
Opcode Fuzzy Hash: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59

Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698

Function 00569C75 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00569CC6

Memory Dump Source

Source File: 00000000.00000002.1494574605.0000000000569000.00000040.00000020.00020000.00000000.sdmp, Offset: 00569000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_569000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 418cf7d0a6ef283377e28a424d4439f5d82e639709fc2a19d27c7b5c4614b8a5
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 1A113F79A00208EFDB01DF98C985E98BFF5AF08350F058094F9489B361D771EA50DF90

Non-executed Functions

Function 00423EFF Relevance: 70.4, Strings: 56, Instructions: 350COMMON

Download Yara Rule

Strings

`, xrefs: 0042422F
&, xrefs: 0042414B
t, xrefs: 004241DE
x, xrefs: 00423F3E
0, xrefs: 00423FE6
X, xrefs: 0042411A
B, xrefs: 00424144
z, xrefs: 004241EC
d, xrefs: 0042423F
A, xrefs: 004243AC
x, xrefs: 004241FA
v, xrefs: 004241D0
N, xrefs: 0042439E
/, xrefs: 00423F46
q, xrefs: 00423FDE
p, xrefs: 004241C2
|, xrefs: 00424216
?, xrefs: 00424183
>, xrefs: 00423F4E
n, xrefs: 00424257
4, xrefs: 00423FE2
2, xrefs: 00423FC6
7, xrefs: 00423FD6
D, xrefs: 0042416E
b, xrefs: 00424224
l, xrefs: 0042425F
F, xrefs: 00424160
H, xrefs: 0042418A
f, xrefs: 00423FEE
@, xrefs: 00424152
N, xrefs: 00424198
r, xrefs: 004241B4
1, xrefs: 00423FDA
0, xrefs: 00423FD2
8, xrefs: 00423F4A
^, xrefs: 00424128
\, xrefs: 00424136
Q, xrefs: 004241C9
J, xrefs: 0042417C
h, xrefs: 00424175
j, xrefs: 00424247
n, xrefs: 00423FCE
-, xrefs: 004241BB
:, xrefs: 00424253
V, xrefs: 00423F52
&, xrefs: 00423FCA
?, xrefs: 00423F42
~, xrefs: 00424208
f, xrefs: 00424237
h, xrefs: 0042424F
1, xrefs: 00423FC2
@, xrefs: 00424263
L, xrefs: 004241A6
}, xrefs: 00424390
(, xrefs: 004241AD
>, xrefs: 00423FEA

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$t$v$x$x$z$|$}$~
API String ID: 0-1862720121
Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction ID: 27bd2a0d4c2ee2dbe7fab43400867feab0dee6ac78a78b22b0fd1ff9dbe20428
Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction Fuzzy Hash: 45026021D087D989DB22C67C8C483CDBFA11B63324F4843EDD5E86B3D6D6B90946CB66

Function 02124166 Relevance: 70.4, Strings: 56, Instructions: 350COMMON

Download Yara Rule

Strings

l, xrefs: 021244C6
/, xrefs: 021241AD
>, xrefs: 02124251
q, xrefs: 02124245
x, xrefs: 021241A5
f, xrefs: 0212449E
8, xrefs: 021241B1
`, xrefs: 02124496
0, xrefs: 0212424D
v, xrefs: 02124437
|, xrefs: 0212447D
b, xrefs: 0212448B
p, xrefs: 02124429
1, xrefs: 02124241
7, xrefs: 0212423D
L, xrefs: 0212440D
r, xrefs: 0212441B
j, xrefs: 021244AE
\, xrefs: 0212439D
h, xrefs: 021244B6
&, xrefs: 02124231
H, xrefs: 021243F1
A, xrefs: 02124613
:, xrefs: 021244BA
0, xrefs: 02124239
&, xrefs: 021243B2
@, xrefs: 021243B9
2, xrefs: 0212422D
4, xrefs: 02124249
1, xrefs: 02124229
n, xrefs: 021244BE
^, xrefs: 0212438F
N, xrefs: 02124605
N, xrefs: 021243FF
f, xrefs: 02124255
X, xrefs: 02124381
>, xrefs: 021241B5
t, xrefs: 02124445
Q, xrefs: 02124430
-, xrefs: 02124422
B, xrefs: 021243AB
?, xrefs: 021241A9
}, xrefs: 021245F7
z, xrefs: 02124453
n, xrefs: 02124235
D, xrefs: 021243D5
J, xrefs: 021243E3
V, xrefs: 021241B9
h, xrefs: 021243DC
@, xrefs: 021244CA
~, xrefs: 0212446F
(, xrefs: 02124414
x, xrefs: 02124461
F, xrefs: 021243C7
d, xrefs: 021244A6
?, xrefs: 021243EA

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$t$v$x$x$z$|$}$~
API String ID: 0-1862720121
Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction ID: 06f791bbfc6e9ef83a1bd1c61cbcebbad1d7d3ac43852dd20b3f834cf4bced95
Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction Fuzzy Hash: 5E0251219087D98DDB22C67C8C583DDBFA11B63224F1883DDD1E86B3D6D7B9054ACB62

Function 0043A4EF Relevance: 54.1, Strings: 43, Instructions: 311COMMON

Download Yara Rule

Strings

n, xrefs: 0043A7E7
0, xrefs: 0043A936
q, xrefs: 0043A5E2
<, xrefs: 0043A75B
g, xrefs: 0043A7B6
:, xrefs: 0043A509
i, xrefs: 0043A5AA
c, xrefs: 0043A79A
+, xrefs: 0043A55D
e, xrefs: 0043A7A8
9, xrefs: 0043A541
s, xrefs: 0043A5F0
a, xrefs: 0043A78C
A, xrefs: 0043A652
E, xrefs: 0043A66E
D, xrefs: 0043A4FB
o, xrefs: 0043A5D4
>, xrefs: 0043A764
M, xrefs: 0043A6A6
e, xrefs: 0043A58E
o, xrefs: 0043A7EE
C, xrefs: 0043A660
=, xrefs: 0043A517
i, xrefs: 0043A7C4
K, xrefs: 0043A698
{, xrefs: 0043A628
I, xrefs: 0043A68A
w, xrefs: 0043A60C
k, xrefs: 0043A5B8
}, xrefs: 0043A636
g, xrefs: 0043A59C
c, xrefs: 0043A580
y, xrefs: 0043A61A
L, xrefs: 0043A69F
u, xrefs: 0043A5FE
x, xrefs: 0043A533
a, xrefs: 0043A572
k, xrefs: 0043A7D2
%, xrefs: 0043A525
m, xrefs: 0043A5C6
m, xrefs: 0043A7E0
3, xrefs: 0043A54F
G, xrefs: 0043A67C

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-1785674967
Opcode ID: 64b6cdda28aa021313f1cbb0850f2494ccdc33704329f9a8e3918c3b304d7149
Instruction ID: 5a335782380f72e06434a0b7d1c84293c6c1cbd051fad8399b30b8532d7f13f9
Opcode Fuzzy Hash: 64b6cdda28aa021313f1cbb0850f2494ccdc33704329f9a8e3918c3b304d7149
Instruction Fuzzy Hash: 0EF170319086E98ADB22C63C8C443DDBFB15B56324F0847D9D0A96B3D2C7794F86CB66

Function 0213A756 Relevance: 54.1, Strings: 43, Instructions: 311COMMON

Download Yara Rule

Strings

:, xrefs: 0213A770
<, xrefs: 0213A9C2
}, xrefs: 0213A89D
9, xrefs: 0213A7A8
m, xrefs: 0213AA47
A, xrefs: 0213A8B9
u, xrefs: 0213A865
>, xrefs: 0213A9CB
{, xrefs: 0213A88F
c, xrefs: 0213A7E7
x, xrefs: 0213A79A
a, xrefs: 0213A7D9
i, xrefs: 0213A811
%, xrefs: 0213A78C
g, xrefs: 0213A803
C, xrefs: 0213A8C7
a, xrefs: 0213A9F3
w, xrefs: 0213A873
0, xrefs: 0213AB9D
y, xrefs: 0213A881
=, xrefs: 0213A77E
n, xrefs: 0213AA4E
k, xrefs: 0213AA39
i, xrefs: 0213AA2B
I, xrefs: 0213A8F1
e, xrefs: 0213A7F5
s, xrefs: 0213A857
E, xrefs: 0213A8D5
M, xrefs: 0213A90D
k, xrefs: 0213A81F
o, xrefs: 0213A83B
c, xrefs: 0213AA01
o, xrefs: 0213AA55
L, xrefs: 0213A906
q, xrefs: 0213A849
G, xrefs: 0213A8E3
g, xrefs: 0213AA1D
m, xrefs: 0213A82D
D, xrefs: 0213A762
3, xrefs: 0213A7B6
K, xrefs: 0213A8FF
+, xrefs: 0213A7C4
e, xrefs: 0213AA0F

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-1785674967
Opcode ID: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
Instruction ID: f5b7b5b76bc1283b813f01dfb8048a88cf44e4624b73e5e1f204a807c6766b69
Opcode Fuzzy Hash: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
Instruction Fuzzy Hash: 75F161319086E98ADB36CA3C8C443DDBFA25F52324F0947D9D0A96B3D2C7754B86CB61

Function 00439923 Relevance: 50.4, Strings: 40, Instructions: 391COMMON

Download Yara Rule

Strings

f, xrefs: 00439E23
Z, xrefs: 00439AF7
4, xrefs: 00439DFF
S, xrefs: 00439A8F
<, xrefs: 00439A0F
s, xrefs: 00439B4F
O, xrefs: 00439D16
~, xrefs: 00439B3F
7, xrefs: 00439A71
], xrefs: 00439ACF
w, xrefs: 00439B17
e, xrefs: 00439E1C
{, xrefs: 00439B77
I, xrefs: 00439D0E
5, xrefs: 004399D7
F, xrefs: 00439AC7
Y, xrefs: 00439AE7
=, xrefs: 00439B8F
$, xrefs: 004399E5
r, xrefs: 00439BB7
j, xrefs: 00439B1F
2, xrefs: 00439A55
i, xrefs: 00439B2F
T, xrefs: 00439BCF
H, xrefs: 00439AEF
=, xrefs: 00439A1D
F, xrefs: 00439A97
U, xrefs: 00439AFF
=, xrefs: 00439A01
t, xrefs: 00439B5F
i, xrefs: 00439B6F
G, xrefs: 00439AD7
S, xrefs: 00439D26
c, xrefs: 00439B07
1, xrefs: 004399BB
x, xrefs: 00439B7F
-, xrefs: 004399AD
j, xrefs: 00439B37
_, xrefs: 00439ABF
*, xrefs: 00439A7F

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-3597792095
Opcode ID: 9858d768ba85f4fc7c06e0a387e2414925c75b509ec035ed4b4a87323aee9e67
Instruction ID: be7a992d2d4842197a1748c1c2319ac7c28ec811ade833faf29c06d267706092
Opcode Fuzzy Hash: 9858d768ba85f4fc7c06e0a387e2414925c75b509ec035ed4b4a87323aee9e67
Instruction Fuzzy Hash: E8224F219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66

Function 02139B8A Relevance: 50.4, Strings: 40, Instructions: 391COMMON

Download Yara Rule

Strings

i, xrefs: 02139D96
i, xrefs: 02139DD6
f, xrefs: 0213A08A
$, xrefs: 02139C4C
S, xrefs: 02139F8D
T, xrefs: 02139E36
<, xrefs: 02139C76
=, xrefs: 02139C84
O, xrefs: 02139F7D
2, xrefs: 02139CBC
x, xrefs: 02139DE6
=, xrefs: 02139C68
j, xrefs: 02139D9E
t, xrefs: 02139DC6
7, xrefs: 02139CD8
e, xrefs: 0213A083
U, xrefs: 02139D66
=, xrefs: 02139DF6
I, xrefs: 02139F75
F, xrefs: 02139D2E
Y, xrefs: 02139D4E
r, xrefs: 02139E1E
G, xrefs: 02139D3E
1, xrefs: 02139C22
{, xrefs: 02139DDE
5, xrefs: 02139C3E
j, xrefs: 02139D86
s, xrefs: 02139DB6
-, xrefs: 02139C14
F, xrefs: 02139CFE
_, xrefs: 02139D26
H, xrefs: 02139D56
], xrefs: 02139D36
4, xrefs: 0213A066
S, xrefs: 02139CF6
w, xrefs: 02139D7E
~, xrefs: 02139DA6
*, xrefs: 02139CE6
c, xrefs: 02139D6E
Z, xrefs: 02139D5E

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-3597792095
Opcode ID: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
Instruction ID: 32d01b67cc353d10cde139d5793501b7efac64c1f39d8d77eeb7cab383b85d69
Opcode Fuzzy Hash: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
Instruction Fuzzy Hash: 55225C219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66

Function 0043B870 Relevance: 35.9, APIs: 10, Strings: 10, Instructions: 880memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
VariantInit.OLEAUT32(?), ref: 0043BF3E

Strings

n:T8, xrefs: 0043BE4A
M, xrefs: 0043BB5B
#~|, xrefs: 0043B8A7
:;$%, xrefs: 0043C2EC
F*R(, xrefs: 0043BE2A
#~|, xrefs: 0043B89D
96, xrefs: 0043BE52
e?^, xrefs: 0043BC4F
k"@ , xrefs: 0043BE3A
[&h$, xrefs: 0043BE32

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 65563702-2807872674
Opcode ID: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
Opcode Fuzzy Hash: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96

Function 0213BAD7 Relevance: 32.4, APIs: 8, Strings: 10, Instructions: 880memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(CDCCD3E7,00000000,00000001,?,00000000), ref: 0213BF33
SysAllocString.OLEAUT32(37C935C6), ref: 0213BFAD
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0213BFEB
SysAllocString.OLEAUT32(37C935C6), ref: 0213C050
SysAllocString.OLEAUT32(37C935C6), ref: 0213C137
VariantInit.OLEAUT32(?), ref: 0213C1A5

Strings

n:T8, xrefs: 0213C0B1
M, xrefs: 0213BDC2
F*R(, xrefs: 0213C091
[&h$, xrefs: 0213C099
:;$%, xrefs: 0213C553
#~|, xrefs: 0213BB04
96, xrefs: 0213C0B9
#~|, xrefs: 0213BB0E
k"@ , xrefs: 0213C0A1
e?^, xrefs: 0213BEB6

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 65563702-2807872674
Opcode ID: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction ID: 0cd05f757dc3eed905580ea7652814695fe187d5ea0e63938db7464b1f23f01d
Opcode Fuzzy Hash: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction Fuzzy Hash: 3652E0726483408BD724CF28C8917ABFBE2EFC5314F188A2DE5959B391D775D806CB92

Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00436989
GetSystemMetrics.USER32(0000004C), ref: 00436999
GetSystemMetrics.USER32(0000004D), ref: 004369A1
GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
DeleteObject.GDI32(00000000), ref: 004369C1
CreateCompatibleDC.GDI32(00000000), ref: 004369D0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
SelectObject.GDI32(00000000,00000000), ref: 004369E7
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

Strings

Y, xrefs: 00436BEE

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
String ID: Y
API String ID: 1298755333-3233089245
Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B

Function 004367F0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436804
GetClipboardData.USER32 ref: 0043681F
GlobalLock.KERNEL32 ref: 00436838
GetWindowLongW.USER32 ref: 0043689D
GlobalUnlock.KERNEL32 ref: 00436959
CloseClipboard.USER32 ref: 00436962

Strings

F, xrefs: 004368E0
{, xrefs: 004368BD
}, xrefs: 004368D1
@, xrefs: 004368EA
B, xrefs: 004368C7
K, xrefs: 004368E5
C, xrefs: 004368B8
O, xrefs: 004368CC
E, xrefs: 004368B3
N, xrefs: 004368C2
t, xrefs: 004368D6

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction ID: d12379fae56aa42f0d26b1a9ba346e1c7749dd96ee15ae9ce42ccc61be201c2c
Opcode Fuzzy Hash: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction Fuzzy Hash: 65418FB050C3818ED301EF78D58931FBFE0AF96318F05492EE4C996292D67D8549CBAB

Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243

Strings

]RB, xrefs: 00425257
C`<f, xrefs: 004253D3
+$e, xrefs: 004251F2
1D6Z, xrefs: 0042539B
%\)R, xrefs: 004253AB
?P:V, xrefs: 004253B3
.T'j, xrefs: 004253BB
,X*^, xrefs: 004253A3
+$e, xrefs: 0042517A, 00425165
:@&F, xrefs: 00425393
XY, xrefs: 00425146

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
API String ID: 237503144-2846770461
Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46

Function 00419840 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419CE7
FreeLibrary.KERNEL32(?), ref: 00419D24

Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Strings

pv, xrefs: 00419BB2
vt, xrefs: 00419AFC
if, xrefs: 00419B1C
SP, xrefs: 00419BF2
Wu, xrefs: 00419CE7, 00419D24
~|, xrefs: 00419B2E
tj, xrefs: 00419BBA

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ~|$SP$if$Wu$pv$tj$vt
API String ID: 764372645-1279135394
Opcode ID: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
Opcode Fuzzy Hash: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A

Function 00425D6A Relevance: 15.8, Strings: 12, Instructions: 778COMMON

Download Yara Rule

Strings

T`Sf, xrefs: 0042638C
2E1G, xrefs: 00426876
&$, xrefs: 004266A0
-T,j, xrefs: 0042636E
8I>K, xrefs: 00426858
uVw, xrefs: 00425EA0
$@7F, xrefs: 0042633C
4D2Z, xrefs: 00426346
(X#^, xrefs: 00426350
+\1R, xrefs: 0042635A
qs, xrefs: 00425E96
Wdz, xrefs: 00426396

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
Opcode Fuzzy Hash: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84

Function 021260B7 Relevance: 15.5, Strings: 12, Instructions: 458COMMON

Download Yara Rule

Strings

4D2Z, xrefs: 021265AD
$@7F, xrefs: 021265A3
qs, xrefs: 021260FD
&$, xrefs: 02126907
uVw, xrefs: 02126107
T`Sf, xrefs: 021265F3
2E1G, xrefs: 02126ADD
-T,j, xrefs: 021265D5
+\1R, xrefs: 021265C1
(X#^, xrefs: 021265B7
Wdz, xrefs: 021265FD
8I>K, xrefs: 02126ABF

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
Instruction ID: 9f1d6bf66a6c09cf1082a959082ca12ed41cffceed8143a23b56c0da185a1bc3
Opcode Fuzzy Hash: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
Instruction Fuzzy Hash: 01422CB0905369CFDB64CF56D981BCDBBB1FB05300F1185E8C1996B262DB748A8ACF85

Function 02119AA7 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 02119F4E
FreeLibrary.KERNEL32(?), ref: 02119F8B

Strings

SP, xrefs: 02119E59
~|, xrefs: 02119D95
if, xrefs: 02119D83
pv, xrefs: 02119E19
tj, xrefs: 02119E21
vt, xrefs: 02119D63

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: ~|$SP$if$pv$tj$vt
API String ID: 3664257935-1422159894
Opcode ID: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction ID: 2dbf38afd0e26cd04cec60a13fc59b6ff3bba0d02946652a9ffe47c4a222c623
Opcode Fuzzy Hash: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction Fuzzy Hash: 8B621870689350AFE724CB24CC91B2FBBE2EFC5318F18863CE5A597290D771A845CB56

Function 00417405 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1110COMMON

Download Yara Rule

Strings

5&'d, xrefs: 004175E5
O, xrefs: 00417625
~, xrefs: 00418158

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 5&'d$O$~
API String ID: 0-1622812124
Opcode ID: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
Opcode Fuzzy Hash: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A

Function 004257E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004258F4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042595D

Strings

)RSP, xrefs: 004259A1
B"@, xrefs: 00425818
=^"\, xrefs: 00425ABF
`J/H, xrefs: 00425826
rp, xrefs: 00425834

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$)RSP$=^"\$`J/H$rp
API String ID: 237503144-816972838
Opcode ID: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction ID: cd6e5e946c3164ee33c4da05371f075d598195140dbb1deecb8ac0c04a2143aa
Opcode Fuzzy Hash: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction Fuzzy Hash: 9DA110B6E402188FDB10CFA8DC827EEBBB1FF85314F154169E414AB291D7B59942CB94

Function 00415720 Relevance: 11.8, Strings: 8, Instructions: 1798COMMON

Download Yara Rule

Strings

F2}0, xrefs: 00415A76
NR@:, xrefs: 00416291
L, xrefs: 004162B2
DASS, xrefs: 0041629C
9?4<, xrefs: 00416345
a, xrefs: 004163D3
BYQZ, xrefs: 00416286
R(RW, xrefs: 00416265

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-3642574725
Opcode ID: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
Opcode Fuzzy Hash: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46

Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

+P%V, xrefs: 0041C8FD
,X0^, xrefs: 0041C90B
C`6f, xrefs: 0041C919
4D"J, xrefs: 0041C8E8
,\/b, xrefs: 0041C912
2T'Z, xrefs: 0041C904
C`6f, xrefs: 0041C73C, 0041CBB1, 0041CC7D
*H%N, xrefs: 0041C8EF

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5

Function 0211C667 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

+P%V, xrefs: 0211CB64
,\/b, xrefs: 0211CB79
2T'Z, xrefs: 0211CB6B
4D"J, xrefs: 0211CB4F
*H%N, xrefs: 0211CB56
C`6f, xrefs: 0211C9A3, 0211CE18, 0211CEE4
,X0^, xrefs: 0211CB72
C`6f, xrefs: 0211CB80

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction ID: eedd14aac00b105a06c04efae682c1a3f08f436448e8aa41e2d1099322fcc536
Opcode Fuzzy Hash: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction Fuzzy Hash: 503238B19802118BCB24CF24C8927B7B7B2FF95314F2992ADD8415F794E7759802CBD2

Function 02108AE7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02108B0B
GetCurrentThreadId.KERNEL32 ref: 02108B15
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02108BBC
GetForegroundWindow.USER32 ref: 02108BD1
ExitProcess.KERNEL32 ref: 02108D1E

Strings

6W01, xrefs: 02108C1C

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction ID: b8119d4ac36c96a109aa36d594b407411a6e85609a36fe25d28a0508d7e5caff
Opcode Fuzzy Hash: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction Fuzzy Hash: 9D518E73A843040FD728AF659C85356BAD79FC1314F1FC1399955AB3E5EAB488068BC1

Function 00420D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

2W<Q, xrefs: 00420F46
%K9U, xrefs: 00420F3E
?S2], xrefs: 00420F4E
"G3A, xrefs: 00421026
>C;M, xrefs: 00420F2E
>C;M"G3A, xrefs: 004211E3
<O)I, xrefs: 00420F36
?_%Y, xrefs: 00420F56

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
Instruction ID: 1eff8263789fd2a08f3fecf0f268f16acf59bb1ac0ae24da522a1f75b62227ff
Opcode Fuzzy Hash: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
Instruction Fuzzy Hash: 28E101756083108BC324CF64C89276BB7F1EFE6314F498A5DE4D69B3A4E3389905CB96

Function 02120FF7 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

2W<Q, xrefs: 021211AD
<O)I, xrefs: 0212119D
?_%Y, xrefs: 021211BD
"G3A, xrefs: 0212128D
%K9U, xrefs: 021211A5
?S2], xrefs: 021211B5
>C;M"G3A, xrefs: 0212144A
>C;M, xrefs: 02121195

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: 16124e3c7090e407d3ed762d4f9537a2d591ac8c3946b942d40811c92b540754
Instruction ID: 5ce4836277cd256feeb600769cb6d52dfc40e56bed850f7285b8a5f083ca366d
Opcode Fuzzy Hash: 16124e3c7090e407d3ed762d4f9537a2d591ac8c3946b942d40811c92b540754
Instruction Fuzzy Hash: A4E1F1715483508BC728DF64C89276BB7F2EFD6324F198A1CE4D98B391E3349909CB92

Function 00427860 Relevance: 10.4, Strings: 8, Instructions: 409COMMON

Download Yara Rule

Strings

/), xrefs: 00427944
3=, xrefs: 0042795C
bX_^, xrefs: 00427C10, 00427C14, 00427D78
JW, xrefs: 004279BD
+5, xrefs: 0042794C
]_, xrefs: 004279C8
J+, xrefs: 004279D3
r}B, xrefs: 00427D60

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: J+$JW$]_$bX_^$r}B$+5$/)$3=
API String ID: 0-2499027453
Opcode ID: 4f300e806615f3e46f25d2dfee94d4050b3e57adbeef3450ddc0df426ccfbfa4
Instruction ID: 44c300c69855992b2f16a9d4ad0dfeec6e614c77fc8171f72a5c7ce453eec0d9
Opcode Fuzzy Hash: 4f300e806615f3e46f25d2dfee94d4050b3e57adbeef3450ddc0df426ccfbfa4
Instruction Fuzzy Hash: 9FD1DEB461C340DFE7249F25E881B6BB7A2FBC6304F94892DF1858B391DB749805CB5A

Function 0040D545 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

CoUninitialize.OLE32 ref: 0040D555

Strings

~wxH, xrefs: 0040D64F
|qay, xrefs: 0040D641
&W-Q, xrefs: 0040D7B9
?C*], xrefs: 0040D7A4
9Y, xrefs: 0040D854

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$|qay$~wxH
API String ID: 3213364925-1959178137
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95

Function 0210D7AC Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 02136BE7: GetDC.USER32(00000000), ref: 02136BF0
Part of subcall function 02136BE7: GetCurrentObject.GDI32(00000000,00000007), ref: 02136C11
Part of subcall function 02136BE7: GetObjectW.GDI32(00000000,00000018,?), ref: 02136C21
Part of subcall function 02136BE7: DeleteObject.GDI32(00000000), ref: 02136C28
Part of subcall function 02136BE7: CreateCompatibleDC.GDI32(00000000), ref: 02136C37
Part of subcall function 02136BE7: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02136C42
Part of subcall function 02136BE7: SelectObject.GDI32(00000000,00000000), ref: 02136C4E
Part of subcall function 02136BE7: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02136C71

CoUninitialize.COMBASE ref: 0210D7BC

Strings

?C*], xrefs: 0210DA0B
&W-Q, xrefs: 0210DA20
9Y, xrefs: 0210DABB
~wxH, xrefs: 0210D8B6
|qay, xrefs: 0210D8A8

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$|qay$~wxH
API String ID: 3248263802-1959178137
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: 4cfc84a57298ed6a1839eec60b75e785d66f1f3555f4304262f6bce4d7d6355a
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: 01B125756447818BE725CF6AC4E0762FBE2FF96304B18C1ACC4D64BB8AC778A406CB51

Function 004186FC Relevance: 8.5, Strings: 6, Instructions: 1000COMMON

Download Yara Rule

Strings

NmNo, xrefs: 004188F5
]a_c, xrefs: 00418871
tu, xrefs: 00418829
H)G+, xrefs: 00418852
<, xrefs: 0041913F
+, xrefs: 00418DD8

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: +$<$H)G+$NmNo$]a_c$tu
API String ID: 0-4096164410
Opcode ID: 6d71389cbb69697272ef7968fa8146cab96ec6b278bf575547bf9789760e162a
Instruction ID: c7a3f77f71ded0b9311dc6516a729683f4fb7c759b6558f4b3eb03d829b5ec1a
Opcode Fuzzy Hash: 6d71389cbb69697272ef7968fa8146cab96ec6b278bf575547bf9789760e162a
Instruction Fuzzy Hash: 925216741093509FD724CF28C8917ABB7E1FF86314F184A6DE4D68B391DB38A845CB9A

Function 0040AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

8)*6, xrefs: 0040B1B7, 0040B064, 0040B232, 0040B084, 0040B1C3, 0040B25C, 0040B215, 0040B229
]f, xrefs: 0040B021, 0040B025
8)*6, xrefs: 0040B0B0
Ds, xrefs: 0040AEE8
}v, xrefs: 0040AED8
:33F, xrefs: 0040B0A4

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
Instruction ID: 415c6ff438417329eae15ed8e7d658c137838348542c9c9b1d71c747cb23f456
Opcode Fuzzy Hash: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
Instruction Fuzzy Hash: 88B1F67520C3408BD324CF6884546AFBBE1EFD2304F18896DE8D56B391D779890ACB9E

Function 0210B097 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

}v, xrefs: 0210B13F
Ds, xrefs: 0210B14F
]f, xrefs: 0210B288, 0210B28C
:33F, xrefs: 0210B30B
8)*6, xrefs: 0210B2CB, 0210B499, 0210B42A, 0210B2EB, 0210B4C3, 0210B490, 0210B47C, 0210B41E
8)*6, xrefs: 0210B317

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
Instruction ID: d7e13919bf02b0b5e62e60ba9b02a334ae1d5bcdddd419ba180c300b3996b2f3
Opcode Fuzzy Hash: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
Instruction Fuzzy Hash: 1EB12B7524C3508BD324CF6884906AFFBE1AFD2218F58892CE4D59B391D7B5CB0ACB56

Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

K3, xrefs: 00425C4A
)RSP, xrefs: 004259A1
=^"\, xrefs: 00425ABF
B:, xrefs: 00425C36
bX_^, xrefs: 00425BBD
C@, xrefs: 00425C40

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91

Function 0043F150 Relevance: 6.8, Strings: 5, Instructions: 524COMMON

Download Yara Rule

Strings

S"(w, xrefs: 0043F220
d5fg, xrefs: 0043F195, 0043F1B0
f, xrefs: 0043F3AD
d5fg, xrefs: 0043F1EF
S"(w, xrefs: 0043F44C

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$d5fg$d5fg$f
API String ID: 2994545307-2961185688
Opcode ID: deb92bf670ae709ad561b25b35214b4440f864299bd2f8ca6b994e53228b85f7
Instruction ID: d96f39f5747abd94facca9cdfd6dc8715fedad9b00cb7f1fec3a1bbed5632043
Opcode Fuzzy Hash: deb92bf670ae709ad561b25b35214b4440f864299bd2f8ca6b994e53228b85f7
Instruction Fuzzy Hash: E812C575A093519FC724CF18C880B2BB7E1AFC9314F18963EE8A4573A1D775DC098B9A

Function 0213F3B7 Relevance: 6.8, Strings: 5, Instructions: 524COMMON

Download Yara Rule

Strings

S"(w, xrefs: 0213F6B3
d5fg, xrefs: 0213F417, 0213F3FC
d5fg, xrefs: 0213F456
f, xrefs: 0213F614
S"(w, xrefs: 0213F487

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: S"(w$S"(w$d5fg$d5fg$f
API String ID: 0-2961185688
Opcode ID: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
Instruction ID: 19e0acad13b62c9e768ca4f9a2d7bd3ed61b850dd26ee6dfd009e40c3259c750
Opcode Fuzzy Hash: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
Instruction Fuzzy Hash: 6F12E775A493519FC325CF18C880B2EBBE2AFC5318F18866CF4A55B7A1D771D806CB92

Function 00428437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON

Download Yara Rule

Strings

J'N!, xrefs: 00428B3B
vu~r, xrefs: 00428868
LMR|, xrefs: 00428848
"#, xrefs: 00428B43
H}}C, xrefs: 00428850

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: "#$H}}C$J'N!$LMR|$vu~r
API String ID: 0-1530353048
Opcode ID: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
Instruction ID: 7cb9c3f936be8fd3a75d1e4abfb2bd6291e29c03686ec294c1ddfd7f13708a2f
Opcode Fuzzy Hash: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
Instruction Fuzzy Hash: 0DE16CB5608351CFC7108F24A84126FB7E1AF96308F58487EE8C597342DB39DC05CB5A

Function 004042B0 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

IEND, xrefs: 0040478F
IHDR, xrefs: 004046AC
IDAT, xrefs: 0040471B
), xrefs: 00404337
), xrefs: 0040432D

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
Instruction ID: 257f26cc5f2a74aac9bf87ca9c2577b9cb81d69ed2dc1e03b5bd0bdbb9992778
Opcode Fuzzy Hash: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
Instruction Fuzzy Hash: C302E2B46083848FD704CF29D89176ABBE1EBC6304F14853EEA859B3D1D379D909CB96

Function 02104517 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

IEND, xrefs: 021049F6
), xrefs: 0210459E
IHDR, xrefs: 02104913
), xrefs: 02104594
IDAT, xrefs: 02104982

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
Instruction ID: 7a5b6c10130ed03228e70c9137c4cc799e0441b6c82f80d5f6934c3938f2d65e
Opcode Fuzzy Hash: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
Instruction Fuzzy Hash: CD02EF746483848FD714CF29C8D076ABBE1EB86300F05866DEA858B3D1D3B5E909CB96

Function 004092A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

#"2., xrefs: 004093C2
!oW1, xrefs: 004093CA
RRP\, xrefs: 0040973E
C, xrefs: 0040960D
P, xrefs: 0040948B

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 099b8e97d4c783248d299f08155666f1876e613e1bac2d45a50adfc1c6749069
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: B8C1167221C3918BD3258F29D49076BBFE2AFD3304F18896DE4D44B3C6D679890AC796

Function 02109507 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

C, xrefs: 02109874
RRP\, xrefs: 021099A5
#"2., xrefs: 02109629
P, xrefs: 021096F2
!oW1, xrefs: 02109631

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: eda063c13f1c6caf035864c639b323fe84ecce3b211f5368ba204640dddc52fc
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: 8FC1377165C3914FD3248F29C4A176BBFE2AFD3604F18896DE4D04B382D3B9840ACB92

Function 00429FE4 Relevance: 6.7, Strings: 5, Instructions: 437COMMON

Download Yara Rule

Strings

lvhu, xrefs: 0042A34B
d~`}, xrefs: 0042A35B
sf, xrefs: 0042A36B
,fbV, xrefs: 0042A353
ooKv, xrefs: 0042A363

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
Instruction ID: aaedd27545ab9ed709b9694aed24c663919bae5b675873c34d327438eaef385a
Opcode Fuzzy Hash: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
Instruction Fuzzy Hash: 14E139B15483518FD714CF24D8817ABB7E2AFD1304F48896DE9D587382E679E908C78B

Function 0212A305 Relevance: 6.7, Strings: 5, Instructions: 407COMMON

Download Yara Rule

Strings

lvhu, xrefs: 0212A5B2
ooKv, xrefs: 0212A5CA
sf, xrefs: 0212A5D2
,fbV, xrefs: 0212A5BA
d~`}, xrefs: 0212A5C2

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
Instruction ID: efaaf5cd089f9032885ab5b383d31d15d6f7bb2bf880f3f85bf3c305d517cc11
Opcode Fuzzy Hash: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
Instruction Fuzzy Hash: F2D107B15483919FD724CF14C8917ABB7E2AFC5304F08892CE5D68B341E779EA09CB86

Function 00409790 Relevance: 5.4, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

{u, xrefs: 00409A7E
kh, xrefs: 00409BE3
nz, xrefs: 004098E3
*+, xrefs: 00409B1E

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: *+$kh$nz${u
API String ID: 0-424779605
Opcode ID: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
Instruction ID: 1b29a9faac5300f3ffc5f62fe3d46617b85d137f0c3ce0abae63967b27c05819
Opcode Fuzzy Hash: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
Instruction Fuzzy Hash: 2AD103716087508BD724DF35C851BABBBE2EFC1318F18896DE4D59B392D638C809CB46

Function 021099F7 Relevance: 5.4, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

nz, xrefs: 02109B4A
{u, xrefs: 02109CE5
*+, xrefs: 02109D85
kh, xrefs: 02109E4A

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: *+$kh$nz${u
API String ID: 0-424779605
Opcode ID: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
Instruction ID: 57744ad7df7e4b48e013c9f71c060b57ff8964db1d14cb9ffb12cf363a020809
Opcode Fuzzy Hash: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
Instruction Fuzzy Hash: 42D1F3716483508BD724DF38C8A1BABBBE2EFC1318F18896DE4D58B292D774D409CB46

Function 0042FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

BVAI, xrefs: 0042FF6A
mc, xrefs: 0042FDF9
_Pna, xrefs: 0042FD26
t, xrefs: 0042FCCC

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
Instruction ID: 048c6723a0782cba0ed5f5bfde42b0dc355c8231af3653691a455654dcaa2d5e
Opcode Fuzzy Hash: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
Instruction Fuzzy Hash: 03A1C37050C3D18AE739CF2594103ABBBE1AFD7304F58897ED0D997382DB79814A8B5A

Function 0212FF23 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

BVAI, xrefs: 021301D1
mc, xrefs: 02130060
t, xrefs: 0212FF33
_Pna, xrefs: 0212FF8D

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: 20e5745e1b694ac32ec1dc69cbed19167deee9fde80c6a8e98dc18cec2597528
Instruction ID: c222ed13b36e13a5ea78688ad2f0225c47a922bf8a230a4f50108c222e02a4bb
Opcode Fuzzy Hash: 20e5745e1b694ac32ec1dc69cbed19167deee9fde80c6a8e98dc18cec2597528
Instruction Fuzzy Hash: 9CA1B47054C3C18AE739CF2584107BBBBE2AFDB304F18896DD0D997682D779814ACB56

Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

D, xrefs: 0042ED68
8<j?, xrefs: 0042ED50
4b, xrefs: 0042EDDA
0, xrefs: 0042ED00

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A

Function 0042A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

zi, xrefs: 0042AE8C
v, xrefs: 0042ACB0
bt, xrefs: 0042AE84
v, xrefs: 0042AE5D, 0042AD90, 0042AE45, 0042ADD1, 0042AC34, 0042AB80, 0042AC4B, 0042ABC1

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: v$v$bt$zi
API String ID: 0-1945541540
Opcode ID: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
Instruction ID: bba7ce1cbd9d7b5964ace128991244c7d88d52c60c2cfa081a52f8c92ce1e01e
Opcode Fuzzy Hash: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
Instruction Fuzzy Hash: 48D1687260C3558FD725CF28D45069FFBE6EBC4304F06892DE8A99B281D774D60ACB86

Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

,D,J, xrefs: 0041BD19
'P0V, xrefs: 0041BD31
9HiN, xrefs: 0041BD21
WT, xrefs: 0041BD39

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86

Function 0211BE2C Relevance: 5.2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

Strings

,D,J, xrefs: 0211BF80
9HiN, xrefs: 0211BF88
WT, xrefs: 0211BFA0
'P0V, xrefs: 0211BF98

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction ID: ae41a8695f5a39636fa6a68c7fb5efa5c8bdd939795bcfb3308c1a97ca196a4b
Opcode Fuzzy Hash: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction Fuzzy Hash: 5B71C0B558D3958BD304DF12C8802AFBBE2FBD1314F188E6CE5D85B251D739854A8F86

Function 021273B2 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

KGFU, xrefs: 0212757C
FOOE, xrefs: 0212756E
KGFU, xrefs: 02127628, 0212762B
UUQg, xrefs: 0212758A

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: FOOE$KGFU$KGFU$UUQg
API String ID: 0-60738199
Opcode ID: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
Instruction ID: 62bc8477b215829dc04ceb4204e333c28d2a1deaa6eb44a938cf6ff6ba360235
Opcode Fuzzy Hash: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
Instruction Fuzzy Hash: 1D51B1B29C16738FD714CB68C8405ABFBA2EF55310B1E4665D8658B3C1D334E91BC791

Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

defgau`c, xrefs: 00421FCA
au`c, xrefs: 00421FC6
(ijkdefgau`c, xrefs: 00421FBE

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
Instruction ID: e077c08026441789f2384525beb931856e433a8fb10ce9bf48ff95afe867dbef
Opcode Fuzzy Hash: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
Instruction Fuzzy Hash: E8D10FB16083509FC714DF28C891B6BBBE1EFC5318F18892DE9858B391E7B9D805CB56

Function 021220D7 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

au`c, xrefs: 0212222D
(ijkdefgau`c, xrefs: 02122225
defgau`c, xrefs: 02122231

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
Instruction ID: 01b61d90eb2c4c37dea6c360f939e8462e4f1f4c47fce89660c5c00d59f8af24
Opcode Fuzzy Hash: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
Instruction Fuzzy Hash: 79D1AEB16483908FD714DF28C891AABBBE5EFC5318F14892CF9858B391E775D809CB52

Function 00434CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

., xrefs: 00434DE2
K, xrefs: 00434DDE
$, xrefs: 00434DE6

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction ID: 6a15d43e6d9dc7541644536baa1fca88b34eed3a23bb6af0385b7f8a4183f52c
Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction Fuzzy Hash: 69029E71614BC08BE3158F3DC891392BFE2AB56304F1CC9AED4DACB787C229E5458B65

Function 02134F56 Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

K, xrefs: 02135045
$, xrefs: 0213504D
., xrefs: 02135049

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction ID: f2fe18d41bc0f64dad6973a761127bb2c20b85318e04bf33eef07a0f9c547c75
Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction Fuzzy Hash: C9029D71614BC08BE3198F3DC891352BFE2AB56304F0CC9ADD4DACB78AC279E5458B65

Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 0042ED68
8<j?, xrefs: 0042ED50
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A

Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 0042ED68
8<j?, xrefs: 0042ED50
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A

Function 0212EE1A Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 0212EFCF
8<j?, xrefs: 0212EFB7
4b, xrefs: 0212F041

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: 482a90b53e3be27ff54803163605d3915a64a5763dfc8d0d66df8d09247d87cb
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 0D81EA6024C3918BD719CF39856137AFBE29FD6218F2C896DF4D58B281D379C50ACB16

Function 00408F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

ut, xrefs: 004090E1
Z, xrefs: 004090E8
#=0, xrefs: 00408FC5

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: eba545bab416a68370d8833e2e81319f1cd74d48ef4740c2d23370f5f56f4d51
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 4681E23120C7829AD7058F39845026BBFE1AFA7314F1889AED4D1AB3C7D639C90AC756

Function 021091F7 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

#=0, xrefs: 0210922C
Z, xrefs: 0210934F
ut, xrefs: 02109348

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: 42d3a945511ead4ed7eb64260d71ddddd0654dd79c184a917e0c59020751881d
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: F481053110C3828AD7058F38C5A076AFFE1AF93618F1899ADD4D29B6D3D769C50AC752

Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

D, xrefs: 0042ED68
8<j?, xrefs: 0042ED50
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A

Function 0212EE08 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

D, xrefs: 0212EFCF
8<j?, xrefs: 0212EFB7
4b, xrefs: 0212F041

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: 4e91ba10509c99057e522f134dd552df8ce00cc9fb23ae0ddfc6b0978cc1ae6a
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 7E81D9612483918BD719CF3984A137AFFE29FD6218F1C496DF4D18B281D339C50ACB56

Function 00442D20 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

D`a&, xrefs: 00442ED5
bX_^, xrefs: 00442D22
NMNO, xrefs: 00442E20

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: InitializeThunk
String ID: D`a&$NMNO$bX_^
API String ID: 2994545307-620122162
Opcode ID: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
Opcode Fuzzy Hash: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759

Function 0041825B Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

7, xrefs: 004183A3
gfff, xrefs: 004183EA
), xrefs: 0041837A

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: )$7$gfff
API String ID: 0-3859371245
Opcode ID: efcf1df4711dd3b4980222b1e3f150a22642c4af62dee3075cfc2de176e6feb6
Instruction ID: 9f03ba7914f0360cb7709cea8ad3b28f347f0d2189de7c473bd193f5a0b7fd0c
Opcode Fuzzy Hash: efcf1df4711dd3b4980222b1e3f150a22642c4af62dee3075cfc2de176e6feb6
Instruction Fuzzy Hash: D4812572A142118BD324CF28DC417AB77E2EBC8314F18C92ED985DB395EB3CD8468785

Function 021184C2 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

7, xrefs: 0211860A
), xrefs: 021185E1
gfff, xrefs: 02118651

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: )$7$gfff
API String ID: 0-3859371245
Opcode ID: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
Instruction ID: 5386bd131c15603fb9593596c4608c3c37134d7ede0c1f8828f48437460f5d4a
Opcode Fuzzy Hash: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
Instruction Fuzzy Hash: 61812772A542518BD328CF28CC51BAB77D2EBC4314F1AC93DD495DB395EB38D5068B81

Function 00427133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

FOOE, xrefs: 00427307
UUQg, xrefs: 00427323
KGFU, xrefs: 00427315

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: FOOE$KGFU$UUQg
API String ID: 0-2281124432
Opcode ID: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
Instruction ID: e3d0f05a3102c402a5be3d16b6d50dde008b8d5973f854c9b7a8b98ef3316d4d
Opcode Fuzzy Hash: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
Instruction Fuzzy Hash: 9A619D72B49262CFD710CBA4D8402AAF7A2EF55310B5D42ABD8558B382E33CDD12D3A5

Function 0041AF24 Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

5230, xrefs: 0041AFC1
t]ae, xrefs: 0041B081
I`af, xrefs: 0041B038

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
Instruction ID: cc3bff843b66776ddd05c04f0bda8cfb631fd3a3b5e3538274f97fe5caba7e22
Opcode Fuzzy Hash: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
Instruction Fuzzy Hash: D7515972A15B804FD738CF66C891767BBE3ABA5304F19896DC1C287695DABCA405C704

Function 0211B18B Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

I`af, xrefs: 0211B29F
t]ae, xrefs: 0211B2E8
5230, xrefs: 0211B228

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
Instruction ID: c82dbcb598043c5e25759bf7f640b69b66c4d0938de340b83326361af9066621
Opcode Fuzzy Hash: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
Instruction Fuzzy Hash: 31513772A59B808FD739CF65C891B67BBE3AB91308F19896DC1C287695DBB9A005C700

Function 0041DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

A, xrefs: 0041DC18
1, xrefs: 0041DBA3
5230, xrefs: 0041DB20

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 1$5230$A
API String ID: 0-2921844354
Opcode ID: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
Instruction ID: e76a71f95e24524307293e01d01a6f58a23ad2f1a40c0433447d02162c8ae966
Opcode Fuzzy Hash: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
Instruction Fuzzy Hash: F8416972A5C3405AE324AE65CC827ABB6D3EBD1324F18C93EF1D9472C5E9F848428316

Function 0210092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02100966
., xrefs: 0210095F
GetProcAddress., xrefs: 021009DC, 021009DF, 021009E4

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8d3964254565dfb7a40da2e234806515813b4f54de45dc01fec139ea16ba0e7d
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 573148B6900609DFDB10CF99C880BAEBBF9FF48324F15404AD845A7250D7B1EA45CBA4

Function 00414C20 Relevance: 3.5, Strings: 2, Instructions: 989COMMON

Download Yara Rule

Strings

UA, xrefs: 004155D4
NP,?, xrefs: 00415070

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: NP,?$UA
API String ID: 0-2573221895
Opcode ID: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
Opcode Fuzzy Hash: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789

Function 0041F6D0 Relevance: 3.3, Strings: 2, Instructions: 817COMMON

Download Yara Rule

Strings

B, xrefs: 00420058
9B, xrefs: 004201A0

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 9B$B
API String ID: 0-4208784936
Opcode ID: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
Instruction ID: b8962ee0846928653caa32ab1d9872d6313577c24d17d84896ac92dc99d0ed25
Opcode Fuzzy Hash: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
Instruction Fuzzy Hash: EF72B1B1619F808ED329CF3C8805397BFD6AB5A324F188B5EA0FA877D2C77561018756

Function 0042B170 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

{wBy, xrefs: 0042B538
?;;, xrefs: 0042B3AA

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: {wBy$?;;
API String ID: 0-3800777323
Opcode ID: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
Opcode Fuzzy Hash: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A

Function 00431E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 00432051
nz, xrefs: 0043204A

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: a3c1cfee1f99e453375e064e447a228442ae2f14524e15aa7be5cf63e3ec65e5
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: ACE11872608B808FD315CA3CC891396FFE2AFDA314F1D866DC5EA8B392D675A406C715

Function 021320F5 Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 021322B1
nz, xrefs: 021322B8

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: 0595a21b0f34da2779b8163bd3e774a810e440d158280e19aca7cd4d4a89eb3a
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: 62E1E772608B808FD315DB3CC891396BFE3AF9A310F1D866DC5EA8B392D675A805C751

Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

o~, xrefs: 004275E6
yr, xrefs: 004275CE

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786

Function 021276F7 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

o~, xrefs: 0212784D
yr, xrefs: 02127835

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction ID: ccddbab88ac9dbbc84c2e044d8d2c8942bd826e3034fd6aaf9af98ae2c9f5395
Opcode Fuzzy Hash: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction Fuzzy Hash: E391267694C3608BD320DF19C854A6BF7E2EFC5324F09892CE9D95B391E7B4850AC786

Function 02142F87 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

D`a&, xrefs: 0214313C
NMNO, xrefs: 02143087

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: D`a&$NMNO
API String ID: 0-4143563191
Opcode ID: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction ID: e1338bde36659543b433f2822998b76e3412c76adc1f1493ac4d857675c59c7b
Opcode Fuzzy Hash: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction Fuzzy Hash: 268136316483455FD318DF28DC81A6BB7A3EFC5328F29C66CE9A94B391DB31A809C751

Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 00428375
:7$%, xrefs: 004282F6, 004282C5

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82

Function 021284E7 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 021285DC
:7$%, xrefs: 0212855D, 0212852C

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction ID: b1a9c986a6c8a153888d36987e1bae779e1067417a18ba2696bd65e9dbf51bd0
Opcode Fuzzy Hash: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction Fuzzy Hash: B421B0715183908BD7089F79C964B6FFBE6BF86318F145A2CE1D287291DBB4C409CB82

Function 0210AC99 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

MO, xrefs: 0210AC36
MO, xrefs: 0210AC9E

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: f23d8909be9cac85cdd2bb68434d9148cd9c1c476272fef1fddd2926260da402
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: 5F1197741843858BEF148FA89ED2667BFA0EF46220F249998DD855F38BC778C502CF64

Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

7&'$, xrefs: 00440445
vA\, xrefs: 0044049C

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C

Function 02140694 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

7&'$, xrefs: 021406AC
vA\, xrefs: 02140703

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: f56a36cb5a2328df8591713326f5a73b0afb96c76a988bbf2a1fa24c884f6c9f
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 77F068345545944BDB958F3D98996BE67F0E757214F202AB5C65BE32A2CB31C4828F08

Function 0041194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00411D64

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
Instruction ID: a8cfc5bf14821c73dd49e5f1522f5c4ec20a02328b59693b871348f0b0df5eb8
Opcode Fuzzy Hash: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
Instruction Fuzzy Hash: E4420A71A04B408FD714DF38D9813A6BBE1AF95314F188A3ED5EB8B3D2D639A446C706

Function 0043CD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON

Download Yara Rule

Strings

/p, xrefs: 0043D2AD

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: /p
API String ID: 0-62938030
Opcode ID: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
Instruction ID: ba8b9978e2f20e60afdbbdaba48a15688935c3ff76d45a9363d37c1b9ca99bef
Opcode Fuzzy Hash: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
Instruction Fuzzy Hash: 7C32003AA18351CBD7049F39D81226BB7E1FF9A320F19887ED8C183291E779C955C786

Function 02117AE4 Relevance: 1.8, APIs: 1, Instructions: 334COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 02117E61

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction ID: 17589f4ea65a266eae853b6b3a1ee5662cabae491b25076f3ba45119e7b70803
Opcode Fuzzy Hash: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction Fuzzy Hash: D8B1E0769487218BC314CF28C8917AAF7E2FFD9314F19962CE8C55B394E7389902C796

Function 02117FFA Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 021182CF

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 63f8c36fe892800652800f2eb1c86de349cf38f6bbdc27b7255af2ab7d33a2e4
Instruction ID: 59256bea4e97f8b530b70924b0e6405a85f2aa0c37efa4375185d2b473f6e711
Opcode Fuzzy Hash: 63f8c36fe892800652800f2eb1c86de349cf38f6bbdc27b7255af2ab7d33a2e4
Instruction Fuzzy Hash: 7791EF755083118BD728CF28C89176BB7E2FFC9314F1A8A6DE8C98B254E7389901CB46

Function 00437B69 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00437C90

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction ID: c3200330e68ce6aff19a63fed1a4000c560c1f69ed3aeb6105e6dfa3e47a6751
Opcode Fuzzy Hash: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction Fuzzy Hash: 9C91C3B1E042548FCB18CF6CC89179EBBF2AF89310F2982ADD855AB391D7759C01CB91

Function 00432426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 0043249F

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction ID: fda16036ad69fd6001319f3414ba3134900024cf57a0a68240a2308677c6b07d
Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction Fuzzy Hash: 82127D71609AC18FE3158B38C591392BFE1AB66304F1CC9AEC4EACB387D63AD5068755

Function 0213268D Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 02132706

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction ID: 26426caa0c57839ea2f1ab5318fc4b1838b9b70177cb3527e4af6a1c36e4ef1a
Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction Fuzzy Hash: F9127D75609AC18FE3158B38C991392BFE2AB66304F1CC9ADC4E9CB387D63AD506C751

Function 004374AB Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 004375CB

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction ID: 45239876aaa66c970168bcac432cbab02119562676560ecae2c3189c67bbcca7
Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction Fuzzy Hash: 6571C7B1E046508FC718CF6CC851359BFF2AB99314F2982ADD8999F3D2D6759C06CB81

Function 02137712 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 02137832

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction ID: c991098d2942e1330a8ba3735ebbe51c6be24e551b09b5deec56a927cd917676
Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction Fuzzy Hash: BC71B5B1E046508FC719CF6CC851359BFE2AB85314F2982ADD8999B3D2D7759806CB81

Function 00435D13 Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00435DB9

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction ID: f2a30e19a756ef2febaf58aa14edd62971e43cb539abc4116fa3d4166735a6c9
Opcode Fuzzy Hash: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction Fuzzy Hash: 51913A21208BC28ED3268B3C88486157F915B67228F2C87DCE0FA8F7E7C6568107C366

Function 02135F7A Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02136020

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction ID: 8f7f33534c1155c82858add8b8e6177612938ff13f6db767dd12b5b71042ed13
Opcode Fuzzy Hash: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction Fuzzy Hash: 51912B11208BC28ED7268B3C88586157F925B67228B2D87DCD0FA8F7E7C7578107C366

Function 0043443D Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004344E1

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction ID: 615ca32909d59e4e98a0e547278d02967b49bf7f3b148c397c41720c4b96474d
Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction Fuzzy Hash: EB912C11208BC28EC326CA3C88586557F921BA7228F2D87DDD0FA8F7D7C7669507C766

Function 021346A4 Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02134748

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction ID: 2a6f63f53f274c2719391d736a44e2961b05b532b03c66aa236f66577199a951
Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction Fuzzy Hash: 2E912B21208BC28EC326CA3C88586557F921B67228B2D87DCD0FA8F7D7C7669107C766

Function 00422380 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 004223AC

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
Opcode Fuzzy Hash: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A

Function 021225E7 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 02122613

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction ID: 3983290d6fd2335681fc544608f0b0aa6463c583f74d04b6e5b87d4475d88796
Opcode Fuzzy Hash: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction Fuzzy Hash: 5EA1E572A883209BD7149F24CC817AF73E1EF81324F198528FC959B291E375ED59C752

Function 0043C5A0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043C7C0

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
Opcode Fuzzy Hash: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799

Function 0213C807 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0213CA27

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction ID: 993707e29881803d9eeff06886ba90ad4faafeb075afa3bf8289254efe38a485
Opcode Fuzzy Hash: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction Fuzzy Hash: 40A149726843109BD725CF28CCC1B7BB7A7EBC5728F19862DE59867294D7319801CBD1

Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0041C360, 0041C364

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A

Function 0211C148 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0211C5C7, 0211C5CB

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction ID: 3883b6cc8dcef48c76b85bebe2a1d7b4bfb12ab289dbd19937482fd30b24428d
Opcode Fuzzy Hash: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction Fuzzy Hash: A39110B16983108BC314CF28C89166BB7E2EFC1364F189A2DE8D68B790E778C505C797

Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00417069

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A

Function 0040DFE2 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0040E295

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: UXY^
API String ID: 0-1486013802
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: d4a14a9f2c2f0854964ffc34a88a484fd9aac6a31bc7c6ca58301aeff22ad83a
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: B79135B5504B418FD315CF2AC990622FBA2FF96300B188AACC0D24FB56C738E816CF95

Function 0210E249 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0210E4FC

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: UXY^
API String ID: 0-1486013802
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: 36a2f563dffbc950d33f107955b6241340eabd8a5ff9c9aa4c75c12c97de5944
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: 329105B5604B818FD3158F26C9D0662FBA2FF56304B19869CC0D28FB56C779E406CF95

Function 00442470 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00442490

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: InitializeThunk
String ID: _\]R
API String ID: 2994545307-1576797437
Opcode ID: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
Opcode Fuzzy Hash: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A

Function 021426D7 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 021426F7

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: _\]R
API String ID: 0-1576797437
Opcode ID: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction ID: 423a7ca2f62ec043ce47bbd2c4737e90bf8997a8b7dc59a4ed136a52272c5c1e
Opcode Fuzzy Hash: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction Fuzzy Hash: 799128316483529BC718DF28C850A6FB7E2EFD9324F19856CF9C997291EB31D841CB86

Function 00427F30 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

, xrefs: 00428074, 00428093, 004280C4

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: 862311005c7391fdfde23addbd4ed3329e2a257a31929c347f63ca686a793f95
Instruction ID: 7661637dc5d8e8a5c488f056d59cc6aa38c937314abadac712079a8ab4c4f304
Opcode Fuzzy Hash: 862311005c7391fdfde23addbd4ed3329e2a257a31929c347f63ca686a793f95
Instruction Fuzzy Hash: 308157717093209BD7149B25AC92B3F73A1EF81314F59862EE985573C1EB3C9C1A839A

Function 02128197 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

, xrefs: 021282DB, 021282FA, 0212832B

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
Instruction ID: 44892d0f856a689a37bbf21d6997815d0246af92606d078c65545a335e670424
Opcode Fuzzy Hash: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
Instruction Fuzzy Hash: 94814AB1A883205BD7149F648CD1B2F73A6EFC1314F1A863CF8954B281E735D819C7A5

Function 00406000 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00406169

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction ID: 01c58491163616012ee55187fd92943d7eb5500c339a617f16e03986bf466463
Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction Fuzzy Hash: 86B138711093819FD321CF18C88065BFBE0AFA9304F444A2DF5DA97782D675EA18CBA6

Function 02106267 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 021063D0

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction ID: f81f718cea34ff01307e1637895fdcedf0664efaeae007c94692e942105a2583
Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction Fuzzy Hash: 88B138712083819FD324CF58C89465BFBE4AFA9204F448A2DF5D997382D771EA18CB97

Function 00433930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 004339CA

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction ID: ef403fb1259512c9711d70f2e7d5f4cfd006a755ed026aeb3bab0d0ce1423d2c
Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction Fuzzy Hash: 49816827759AD04BD7289E3C4C6127ABE830BD6230F2DD77EB5F68B3E2D56889018345

Function 02133B97 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 02133C31

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction ID: fae630b8e427c4637ac50e37632e286b503d438759fe9f5fc43af62aa089000e
Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction Fuzzy Hash: EE813836799A904BD72D9A3C4C212BA7A930BD6130F2DC7BDB5F68B3E1D65988058384

Function 004427B0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

=^"\, xrefs: 004428B7

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: =^"\
API String ID: 0-2152245029
Opcode ID: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
Instruction ID: 31f6d952e69ddc92c57c3d15082e8394249c76af6de0d574896d183d93ceef01
Opcode Fuzzy Hash: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
Instruction Fuzzy Hash: 4281DE383052019BE724DF1CD990A2BB3E2EF89314F54866DF9858B3A0DB35EC51CB0A

Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042DA2E

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A

Function 0212DA97 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0212DC95

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: b68b8ee6eb1f2a40f800c4263b7cabbb4edcd2fabbd5b452baf09f5c928b4adb
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 0D71E132A483694BD7248E28E89031EB7E2EBC6714F19D52DF4949B391D375DC6CCB82

Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0041AA58

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
Opcode Fuzzy Hash: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5

Function 0211AB67 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0211ACBF

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction ID: 444e3a20757e40161321b7d149714b1cf4b28fe595423ac9573433922ff3365f
Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction Fuzzy Hash: 5C51EFB0511B408BC7389F25C8617B7BBF1EF42349B084E6DC5C38BA45E739A509CBA1

Function 02117137 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

*+, xrefs: 021172D0

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction ID: 3e6b2c37756b795338a32a0e5b6c8f60277c8445bb85ae85ea34af1dfdc4dc72
Opcode Fuzzy Hash: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction Fuzzy Hash: E4612FB144A3818BD371CF2588917DBFBE2AF96318F14892CD5C89B294EB384146CB87

Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 00440CA6

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85

Function 02140E12 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 02140F0D

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: 8d8a9ec3e315515b55e14745e5f4a637f183bb5fe625cb81f23eee33c11acab2
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: 6A31BE705646928BDB15CF35C891BB6BBF0FF4B214B144758C8C59B681EB38A592CB81

Function 0211F937 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
Instruction ID: 315ed3402c9a6e601fe367402de4c0384023fa186efaa2458d8a1e3a203e1341
Opcode Fuzzy Hash: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
Instruction Fuzzy Hash: A272CFB1609F818ED329CF3C8805397BFD6AB5A324F188B5DA0FA877D2CB7561018756

Function 00402EF0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction ID: f14b1a32a054cc5d02357b16e4139c05c7a1a12d214dcc5fef3fcda50377de84
Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction Fuzzy Hash: 3C52F2715083458FCB14CF24C0806AABFE1BF89314F198A7EF8996B391D779DA49CB85

Function 02103157 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction ID: 81de3178b02573627d1b8e82480a43665547980fc46ec917c4d13e48a45f8261
Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction Fuzzy Hash: 6052D5715483858FC719CF19C0D06AABBE1FFC8318F1986ADE8A95B391D7B4E849CB41

Function 02111BB6 Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
Instruction ID: fd683bdb7b64b25e1117a4d46679004425cc6daa7ec5a7adf27abbcdb2c8b754
Opcode Fuzzy Hash: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
Instruction Fuzzy Hash: B942D771A44B408FD718DF38C89536ABBE2AF95310F198A3DC9AA8B3D1D775E405CB42

Function 00406850 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
Instruction ID: 65e2e910a3c29fe674c350ea84f17f1873166e83f436a48a2f56d7b4a0c34cae
Opcode Fuzzy Hash: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
Instruction Fuzzy Hash: 7652E270A08B848FE731DB24C4847A7BBE1EB52310F15483ED5EB167C2D37DA9958B4A

Function 02106AB7 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
Instruction ID: 6fa67e4775fe9a603e338c8573b0bf7c840b46e36e55f2672d85ffc05409bacb
Opcode Fuzzy Hash: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
Instruction Fuzzy Hash: 4E52C0B0A88B888FE735CB24C4C43A7FBE1EB45314F14592EC5E646AC6C3B9B586C715

Function 0043080E Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction ID: 7a46f96e6aa3aa7fe73ff395c1311c5ab64b68b87e261d37d1a00d802d05be89
Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction Fuzzy Hash: 9942B4B0505B809FD315CF39C996793BFE1AB56314F18CA9ED4EE8B382C2399445CB91

Function 02130A75 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction ID: 20df6d54f481c9acda1a4af378aaa57303645571e09edf9c498495e0fdb6d169
Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction Fuzzy Hash: A542B3B0505B809FD315CF39C996793BFE1AB56310F18CA9DE4EE8B386C2399445CB92

Function 00407620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 02107887 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: d15d488aa64868cc07a678b419cb530f32215fa8fa617d1cd0e7327044ef5ae7
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 8D12D332A487528BC725DF18D8806BBF3E2BFC4319F19892DD996972C4D774B812CB42

Function 00403900 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
Instruction ID: 8ec60f5116ed2b9ea6bd41125fce4102d17c63a0885b3531693fd8b8e290e5dc
Opcode Fuzzy Hash: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
Instruction Fuzzy Hash: 09322370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7B90D73AF945CB18

Function 02103B67 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
Instruction ID: 9b042c166b02a5162bedb995254d7440f2844c2548e408d54369b32df5831679
Opcode Fuzzy Hash: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
Instruction Fuzzy Hash: CE3212B0654B118FC328CF29C6D056ABBF1BF85610B504A6ED6A787F90D7B6F885CB10

Function 00426C76 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54

Function 00441B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
Opcode Fuzzy Hash: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45

Function 0040E9B0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction ID: 0d842de8c269587a107e17bcba800491c000644a8f7bd6d00a783dd33ebb532c
Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction Fuzzy Hash: 5D123CF0900B00AFC360DF39D946797BFE8EB46360F144A2EE5EE97281D73561158BA6

Function 0210EC17 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction ID: 69ec315d63e60c992600bb37ae1d673dc6ff844fed903b72aa8ed83512946cfa
Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction Fuzzy Hash: 34123BF0900B00AFC360DF39D946797BFE9EB46260F144A2EE5EE87281D73125058BA2

Function 00405AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
Opcode Fuzzy Hash: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96

Function 00441BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
Opcode Fuzzy Hash: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45

Function 00441C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
Opcode Fuzzy Hash: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46

Function 0041D400 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
Instruction ID: 381d8ba9b41755d1dc6d15d311edfbcab53db212d726a0c48d74eb4341d637bc
Opcode Fuzzy Hash: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
Instruction Fuzzy Hash: 63C146B5908300AFD7109F24DC81B9BBBE2BFD5354F148A2EF4E8932A1D77998458B46

Function 0211D667 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
Instruction ID: 0b0530209130da29ca8d73efe2dcd89dab5c15e26d14a964439187e677b2c91f
Opcode Fuzzy Hash: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
Instruction Fuzzy Hash: 2EC1C376948301AFD711DF24EC40B1ABBE2BFC5765F148A3CF498A72A0D7B29945CB42

Function 00432B24 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction ID: 1ceb5ad02d8bbd155c1732c87becb70ba2bb68f476a2c3c7809d4ed59241557d
Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction Fuzzy Hash: 4CF13B72605B808FD315CB3CC8513A6BFE2AF9A314F1C866DD1EB8B392D679A805C715

Function 004354C4 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction ID: 3f1c9d1a024df14266348ce370e510d7f88b70138a1f1607deade05ec74f5600
Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction Fuzzy Hash: 3DF19B62625AC18FE3158B3DC811396FFE2AB66304F1CCAAED0D9CB787C12DE5418B55

Function 0213572B Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction ID: 3e8c0dceb04a85f2ba29dd22013dd6028e1a1b2bb118ff935ec824aa8b19fabb
Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction Fuzzy Hash: B7F19B62625AC18FE3158B3DC811392FFE2AB56304F0CCAADD0D9CB787C26DE5418755

Function 02114E87 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
Instruction ID: cc6ed536f638d1f34f0c151842f8a9dab43a0d4322ed7549d22e326ab4efb558
Opcode Fuzzy Hash: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
Instruction Fuzzy Hash: B08154B2A5831187C728DF28CC9276B73E2EFC1314F19852CE8868B795F7789905C792

Function 004121DB Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
Instruction ID: d9e51bed8acac8e2edf38fb82beeca54912ebc64a1188df36e5052ebbd943c0e
Opcode Fuzzy Hash: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
Instruction Fuzzy Hash: F3C117B5604B408FC7109F38D5D13A6BBE1AF55314F18893ED4EBCB382E679A456CB06

Function 02112442 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction ID: d502c9062091ddecbc33de4484a97b4a808154af931e69bca70465ed039c0821
Opcode Fuzzy Hash: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction Fuzzy Hash: C5C1D6B1A44B408FD7249F38C8D13A6BBE2AF55314F19893DC8EA877C1E776A405CB52

Function 0041D0C0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
Instruction ID: caf67132f2853a10be2cec12a01a7e8acbb33fc6e304049243772e7507394de4
Opcode Fuzzy Hash: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
Instruction Fuzzy Hash: 36913B72A082614BC715CE28C89169FBBE1AB85324F19867DECF95B3D2C238DC45D7D2

Function 0211D327 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
Instruction ID: f79a475f6d3fcf1888ea1a7d3e69c9499b68268fbc15eeb98f5cad8295044989
Opcode Fuzzy Hash: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
Instruction Fuzzy Hash: DF9139726482614FC716CE28989075FBBE2AB85228F19867DECF99B3D1C734D805C7D1

Function 004063C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: b5a54add573a1b485231af3f9cb3d4e6e0a3023674c66bc51678a471f8a90890
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 35C15BB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46

Function 02106627 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: 8345a488f44664c91b153ad316dd9646b4ff10d7446a9b1cc181b8b8f7657c7e
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 62C15CB2948781CFC364CF68CC96BABB7E5BF85318F08492DD1D9C6242E778A155CB06

Function 00428B67 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
Instruction ID: bb3a0c3427b6ad34a24ef151da1f5bba878f0071efde783ca6760e8be5e6876f
Opcode Fuzzy Hash: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
Instruction Fuzzy Hash: BFA122356087A1CFD7248F38A85136E77A2FF8A320F09866DE5A5873D1DB34AD10CB85

Function 00408360 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction ID: e04948112db42d3daa275aef66cee61d38744a578a2e7a742b1881ec96335045
Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction Fuzzy Hash: 2A915B31A083564BC3119E24CA8425BBBD2ABC1310F19CA3ED8D1A73E9EE7DDC458BC5

Function 021085C7 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction ID: 6749e9155b681128c922fd8a7a8b8d0c1d7962bd1aaa927052c4307e52388f2d
Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction Fuzzy Hash: AF915B71A4C3564BC3159E28C8C435BBBE2ABC1314F1BCA69D8E1873E9E7B4D8458BC5

Function 00427070 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
Opcode Fuzzy Hash: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44

Function 00442A60 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb21838f3ad10fc43b638198dd1134618e6e0b80ebbda8d61bfab39d96dcf556
Instruction ID: 6a93b08fa6992d126e12a7bd6c306b93c6ef3d764d3eda4b37502e868ad0b706
Opcode Fuzzy Hash: bb21838f3ad10fc43b638198dd1134618e6e0b80ebbda8d61bfab39d96dcf556
Instruction Fuzzy Hash: A581F0342043169FD724DF28C980A6BB3E1EF89324F58862DF9958B3A1E774EC11CB49

Function 02142CC7 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
Instruction ID: 20dc589a2b6d796f7f7c413a2a03b1a44f629c80d260a38314a68c2ec4e712d9
Opcode Fuzzy Hash: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
Instruction Fuzzy Hash: 8B81A1352443559FC724DF28C890A6AB3E1EF89324F55866CFD998B3A1EB31E891CB41

Function 0043F820 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
Instruction ID: fae485aafa8165bbfa862cfdd16e6316f883ffda102aca194f523248728328e0
Opcode Fuzzy Hash: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
Instruction Fuzzy Hash: D381B47160C3828FC319DE28C49062BBBE2AFC9314F198A7EE4D58B391D735D84AC756

Function 0213FA87 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction ID: d388697d09ec93e7786372c16c3a303e937b1c9cc04bbea25266122be1248b72
Opcode Fuzzy Hash: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction Fuzzy Hash: 7081E97164C3918FC31ACF28C4A066EBBE3AFC5214F19866DE4E58B791D731D806CB52

Function 02142A17 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction ID: 43c4c0507ccf47eb4cc6b7270faff026d47f720e520c445b4d2c88637c749072
Opcode Fuzzy Hash: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction Fuzzy Hash: C581C0342452059BD728DF2CC890A2AB7F2EF89314F15856CFD998B3A0EF31E991CB45

Function 00429ADE Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
Instruction ID: c17fc45f9444ad44d9f96848d075c221a78d48c9dc0fb9f00e6e29a18ae657e2
Opcode Fuzzy Hash: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
Instruction Fuzzy Hash: C97167B2A087248FD7088F29D85133BB6D2ABC5314F49467DE8969F392DB349C01CB86

Function 0042DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B

Function 0212DE57 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: bc2e14b907299c9e7ef312c2917f2e189d590fb186b23bf57000f4bb18c56213
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: 9571ABB414D3E18BE73A8F25959879BBFE1AF93308F184A5CE0D90B292C735440ACB57

Function 0040CFEC Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction ID: 6f13f5d4f3e8c77ab841d9a888d2aead65439f765ee3ddc41d93c1b162d9100a
Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction Fuzzy Hash: 5B516A726057008FD329CF38CC92B577BA3AFD6314B1D866DC4964B796EB39A406C744

Function 0210D253 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction ID: 20940e6479b7d676e70b7ec323de74bf83c0b40b011da2f9311adc7217aeab7e
Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction Fuzzy Hash: 9A515A726457008FD329CF38CCC2AA67BA3EFD6314B1D866CC5964B796DB79A006CB50

Function 0041DCB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction ID: 4a8760de8a520384406f5fad9824bc60f729446c1310b2ee7c15e8b6ebb7b759
Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction Fuzzy Hash: A5616E37B49A8047E72C8D3C5C5129ABA834BD7330B2DC77EE5B58B3E5D9A94C424345

Function 0211DF17 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction ID: 538e1fcf9e34a776e355de986d290594f4929847e6241ace0613d19ae4073768
Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction Fuzzy Hash: 14617C37789E804BE72C8D7D5C5126ABA834BD7234B2EC77DE9B5873E5DA7448028380

Function 0041A690 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction ID: b37770cdf87477bf2dfa5a22c66fb25a4c567325bff618d86bd3e0eb2f8cdddf
Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction Fuzzy Hash: D8610737B668904BD7249A3C4C112EA6A130BD733473DC376E974CB3E6C62A8C564396

Function 0211A8F7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction ID: 4b218b494f34aec14f30f12a475bd2ffe4b1672959af377b0aa99c31ddfec2b2
Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction Fuzzy Hash: 3161C537B6A9D04B97288A3C5C512AA7E530FD723472EC376A9B5DB3E5C7354805C390

Function 0042BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789

Function 0212BE07 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 93284dbe2e4f613002e006171a75de95e6f8ca45c22de7bb2a2662484573d191
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 7161D23164C2604BD7249E2D888032EF7D2AF86738F2A872DF6B48B3E5D73199598745

Function 0041B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
Opcode Fuzzy Hash: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754

Function 0211B6EB Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction ID: fd89e6e77ab9204fff1b7301b4483ea47747b8b49bff87db66404a2d963f4dae
Opcode Fuzzy Hash: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction Fuzzy Hash: E2413A766587814BD3298A35C862773BFA3AFA3308F1C947DC4D38B656DB39A10B8710

Function 0040CA62 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction ID: 618579726118e679aa1534d0b4440190eb114bb965ab7fb83873a39d39203c85
Opcode Fuzzy Hash: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction Fuzzy Hash: 3E5136766083118BC718DF64D89266BB7E2FFD4304F18DA2EE4C69B390DB749801C786

Function 0041B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354

Function 0043ACB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: 0c6b8ba10c1c17cacf5a651755a68f3586d4d6297ac1e50e8e02080b14342633
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: D0515DB15087548FE314DF29D49535BBBE1BBC8318F044E2EE4E987351E379DA088B96

Function 0213AF17 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: 5350e738b0a196d36946ff1cbfe237b463a01ccf3c5656d9fa89a9140fc46514
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: AC513CB15087548FE314DF29D89475BBBE1BBC4318F144A2DE5E987390E37AD6088F82

Function 004418A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
Opcode Fuzzy Hash: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A

Function 00402210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A

Function 02102477 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 1ad63d2833fcd389e14ee1a20c9ffcf4e94d522de2ff97664ec2677c5493ab0a
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: BA51B3B19047419FD3209F28DC8871AB7A5AF85338F14473CECA9972E0E771E915CB8A

Function 00436610 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction ID: 54c58fb9e562efe4acf2d46a46492020a6cdaf8e3d7bcc25f04f53f15c8a0988
Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction Fuzzy Hash: 435169377499A15BD7288A3C5C222667A830BEB238F3ED76FE4B1CB3E5D55C88024345

Function 02136877 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction ID: 5f0f1636741ac1ebcb5a73bd463cdadc9265b8136139558992e9a208ca8c1688
Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction Fuzzy Hash: AB517C337899D05BD72D8A3C4C522667A874BE7234B2EC77EE4F5CB3E2D66588018358

Function 0043CB40 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction ID: 871487b85ee081f61f96075d83eee7838f6093090311bf861c268766400ad4d7
Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction Fuzzy Hash: 6751E573E159304BD7249D7D9C8125BBA926B86330F2A833AED75EB3D0D6389D0143C5

Function 00441FB0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
Instruction ID: 6705176f642ca22527a1125600c687b766c57a0aa9d8b170dddf9af2695ae971
Opcode Fuzzy Hash: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
Instruction Fuzzy Hash: 0251133421E340DBD3888F38D9A066BB7E2FB86315F48897DE4C687291D335D85ACB45

Function 021160EF Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction ID: 0b378c3cbfe096d3c88575fb66abcd29c7352c0291cafe4bd6dbcdb42f859ddf
Opcode Fuzzy Hash: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction Fuzzy Hash: 72513CB29482815FD724CF2CC89177AB7E6AFD5214F084A7DE0DAC7292E736D905CB42

Function 0043C9A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
Opcode Fuzzy Hash: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A

Function 0213CC07 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction ID: 8b6b96cede083ea36f15af2067a5aaad4563b90d44a4abde3f953a97813795d3
Opcode Fuzzy Hash: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction Fuzzy Hash: 1D415971A443146FE7159F64DC80B6BBBA6EF85B04F15842DFD85A7150EB32E804CBD2

Function 02142017 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
Instruction ID: d4f460c3b89c2f4431363bb8f0e01f1efb99063a2f49f34543986331488da25a
Opcode Fuzzy Hash: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
Instruction Fuzzy Hash: 3131D2315483804FD308CF29889262BFBE2ABCA314F59D96DE895CB266DB38D541CB41

Function 0040A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4

Function 0210A2C3 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 7ca20e6db2e6ef2265e777abb508c1958a0f788c65ef0e31ff64c86ef239d1f9
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: BE414237B506514BC31C8E64C8E23AAFBA2FF8921471E512DC955D7795D7B8980247C4

Function 0041B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58

Function 0211B4AA Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: a6b4377e208e3fc368da79758147d215748999cd425d17428e791f5e04301b56
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: 0B3125312447818FCB288F39D4617ABBBF1DB4A218F18456CC1D387782C339A546CB14

Function 0041AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
Opcode Fuzzy Hash: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769

Function 00402B20 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction ID: 049965bb47efd5a04a2fd3c18b74188d46e65301c4fa73dca4455e1bd43b6f7b
Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction Fuzzy Hash: 9921D4382581B10BD7188F3C98F4577F7A0A787312729027FEBC2933D2D668A9559668

Function 0210BA6C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction ID: 7651034275103393deca0637358bc49e6e8de9b4155624b2cf4551bfeb953b2f
Opcode Fuzzy Hash: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction Fuzzy Hash: 7721BB71645B408FE721CF22C8917A7BBF2EB85314F05996DC1C297A95CBB8A4068B44

Function 00438520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359

Function 02138787 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 9cfc27e4f15947b3801f21e095513ffdd009cadb8147549cf7d9770b99087f7c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8C11A933A451D40DC3178E3C88505A5BFA30A93579F5A43E9F4B49B2D2D7238D8B8755

Function 0042BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
Opcode Fuzzy Hash: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9

Function 0041B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44

Function 00569893 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494574605.0000000000569000.00000040.00000020.00020000.00000000.sdmp, Offset: 00569000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_569000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 9cf86d2973a983745af818e412eacebd7188087e93f60b373794e8675f7229b3
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: F7117C72340100AFD754DF55DCC1EA677EAFB89360B298069ED04CB312D675E801CB60

Function 0211B3EB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: 50905aa32948174f046b8a45dbe5f2c35627c34531fb5f3bfda3336021eae434
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 3D11E631104B508FD7348F25C825377BBE19B67318F198A6DC1E787AD1DB7AE10A8B40

Function 02118809 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction ID: 86e4959d3d2fdba9b81762025fcdfe687219064c8a01765f0792cf7d228678be
Opcode Fuzzy Hash: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction Fuzzy Hash: FB11E9345C1220FEE268AF19DDD2F3D3261EB46718F268638F155970E1D7717850CA0D

Function 0041B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9

Function 0211B3DA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: 8517723e887d247771089defe84ee4d1f59957a430c7a0c16624889eef9a6bd5
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 3F017C601082C28FEB128F28D410BA6FBE0AF53318F1996D6D4D58B683D3799A49CB65

Function 0041B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9

Function 0041BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9

Function 0040C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7

Function 0211BAE9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: c0f7acbd541741e5a8c61511c6a15c5628ca3f0184034c61c5c20e8f1d1842b6
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: 50018F201082C28FEB124B28C410BA6FFE0AF53318F1996D6D0D58F6C3D3799A45C765

Function 0041AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9

Function 0211B166 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 866e44885a62ce54fe0f3c200eafea313cdce2032ca0449fc4a027dfcb150473
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: E901AD201082C28FEB124B28C410BB6FFE0AF53318F1996E6D0D58F2C3D37A8A49C765

Function 0040C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A

Function 0210C59B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: d870db9388c14e92850467a047fee80f1b943e78008b97874e7c2bc5c6431232
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 3111047465C3808BD318CF28D9C076EBBE2ABC6214F244A2CE5C117296C7B1950ACBA6

Function 0211773F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction ID: 06b5badb4c5ecdce08dea935f4ed4ee2c60c5cfbdb325ee6b56ef16f6684c94c
Opcode Fuzzy Hash: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction Fuzzy Hash: F401A26554D3C14BD7268F3494543EABBE19F97314F0848BEC0C157192EB39814BC729

Function 0043F0E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
Opcode Fuzzy Hash: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9

Function 0213F347 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction ID: 45aaebf0e17f81a718f0b5ab3075cc72871feca76fb5f6055016002b44f4877a
Opcode Fuzzy Hash: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction Fuzzy Hash: 6AF0D675980228BBD2114B499C81D3B776FEBCE768F140318E51853561E322E912CAA9

Function 0212B8B5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction ID: 50c454b513b0e1d60a06226902f2578f2c3b8db25897c14e27da939dfc1dfd54
Opcode Fuzzy Hash: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction Fuzzy Hash: 6EF096F4A4C621DFDA188F18EC4273A73A6EF86358F14452CF1552B174D331A925DA09

Function 00418672 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E

Function 021158FA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction ID: 027e117a6df6b9f2d18fd30ba2577570c86f41819ac764fa053a91c27512297d
Opcode Fuzzy Hash: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction Fuzzy Hash: 09F0BE34659211EFD718CF08D890539B363FBC6328FD8827CE0A8470A8C73078518A4A

Function 02126BA7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction ID: 4c33e50ea93afcfd41b15f5924414bf436f2857bb121d2ac53b72c77d5841cf6
Opcode Fuzzy Hash: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction Fuzzy Hash: 8FF08274A81022EFD71C8F189950A3FF373FB46325F699124E515231E0D330BC26CA48

Function 00409E09 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC

Function 0210A070 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: 59533f2f378063958e70d4a58184ec0d41dfbea96c54f316e02d4ee63dc24258
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 91E0DF389102498FC704CF58C8A2A77B7B0EF0B304F14A469DA83EB360E3789905C7AC

Function 0040CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D

Function 0210D12E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: f91cf7e0ed735b76968527ece6c9311530663c700f60172ddc7e2451c5242614
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: E0E0FD3469C6C08FD218EB15DCF08797367AF85308726542D805717ED6DBB4A856CF0E

Function 0042B652 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F

Function 0041F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C

Function 0211F507 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 8264f0122144d1b37ed2fd3b456fe30bfbc7bf40c52825e3c7f16af22b9d81a8
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: CFD0A76158C7A10E97A8CD7854A087BFBE4E947516B1815AEF4D1E7505D330EC028658

Function 0040D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D

Function 0210D59B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: a611846b0fa20e9d8ad4a3b201c71c1ff61f7edb375d67ac721352836e98058b
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 6EC04C69A6C4008A924CCB55AC9053172769B8B254B15E029802A53255E2649457C94D

Function 021421EA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction ID: d46756a0e1fb04911aea311e00f3b6d6bbb29cfd6f8012ad29779e734c60ec08
Opcode Fuzzy Hash: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction Fuzzy Hash: D7B002749493418BD380CF18D545726F6F0B747615F142919A054F3151D374D9488A5E

Function 02141C3E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction ID: c018d795f0dc3322a67de82126959776e6cc80093cc23c5047751edba26d1c35
Opcode Fuzzy Hash: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction Fuzzy Hash: BC900224D49100CA81408F45A480570E278630B10DF1534109008F3011C210D404450C

Function 02136A57 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02136A6B
GetClipboardData.USER32 ref: 02136A86
GlobalLock.KERNEL32 ref: 02136A9F
GetWindowLongW.USER32 ref: 02136B04
GlobalUnlock.KERNEL32 ref: 02136BC0
CloseClipboard.USER32 ref: 02136BC9

Strings

O, xrefs: 02136B33
}, xrefs: 02136B38
C, xrefs: 02136B1F
B, xrefs: 02136B2E
F, xrefs: 02136B47
{, xrefs: 02136B24
N, xrefs: 02136B29
@, xrefs: 02136B51
t, xrefs: 02136B3D
K, xrefs: 02136B4C
E, xrefs: 02136B1A

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction ID: 77dcc37273657a30de4e737d48430d486c59e309712728f86e8c66bed2498cbb
Opcode Fuzzy Hash: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction Fuzzy Hash: 25415C7050C3818ED311EF78948835FBFE5AB92318F05096DE4D987296D7B9C548CBAB

Function 021255CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 0212572D

Strings

C`<f, xrefs: 0212563A
%\)R, xrefs: 02125612
?P:V, xrefs: 0212561A
,X*^, xrefs: 0212560A
.T'j, xrefs: 02125622
:@&F, xrefs: 021255FA
1D6Z, xrefs: 02125602

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID: %\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f
API String ID: 999431828-351939610
Opcode ID: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction ID: 98815a668fff7cd6cd6910722281def0a154962e2b2d34272f4a8a4bcd47f89b
Opcode Fuzzy Hash: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction Fuzzy Hash: B631FCB41493548FC314CF15C89122BBBB2FFC1324F40981CF6964B720E779994ACB42

Function 02136BE7 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02136BF0
GetCurrentObject.GDI32(00000000,00000007), ref: 02136C11
GetObjectW.GDI32(00000000,00000018,?), ref: 02136C21
DeleteObject.GDI32(00000000), ref: 02136C28
CreateCompatibleDC.GDI32(00000000), ref: 02136C37
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02136C42
SelectObject.GDI32(00000000,00000000), ref: 02136C4E
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02136C71

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelect
String ID:
API String ID: 2843486406-0
Opcode ID: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction ID: 88dc72446b61d773bae4b1778e9fe447bce96a13afddce8d0a62a169f9209d73
Opcode Fuzzy Hash: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction Fuzzy Hash: F6214FB9544310EFE3509F609C49B2B7BF9EB8AB11F014929FA59A2290D77498048B67

Function 02125367 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 02125411

Strings

XY, xrefs: 021253AD
+$e, xrefs: 021253CC, 021253E1
E#G, xrefs: 021253A1
+$e, xrefs: 02125459

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$XY$E#G
API String ID: 237503144-1023387988
Opcode ID: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction ID: 889aa99dfa24cbfc1346f60c0a782832a5c5f50b7e18343fc2dcb72d1edded62
Opcode Fuzzy Hash: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction Fuzzy Hash: AC21363024C344AFE3148F65E88171FBBE0EBC6714F24C82CE5A85B282D775C80A8F86

Function 02125A47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 02125B5B

Strings

B"@, xrefs: 02125A7F
`J/H, xrefs: 02125A8D
rp, xrefs: 02125A9B

Memory Dump Source

Source File: 00000000.00000002.1495037524.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_H5JVfa61AV.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$`J/H$rp
API String ID: 237503144-3817236508
Opcode ID: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction ID: e554684047942922bbb0540b9233d797576653ad7eae3a1ed7d03634a553576d
Opcode Fuzzy Hash: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction Fuzzy Hash: BC31CDB0E443589FDB14CFA9D8827DEBBB2EF45700F50002CE441BB295D6B55906CFA9

Function 0042F0FD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0042F23F

Strings

aN@, xrefs: 0042F2FC
Wu, xrefs: 0042F23F

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: FreeLibrary
String ID: aN@$Wu
API String ID: 3664257935-2510175649
Opcode ID: 6923c55db78119380e5fe35a3321c238481177c04641367e3fdf37507d6e1cbb
Instruction ID: fb7b49653fcfe6187a11668ca7033b53e8d7d933bb39412ee55706a61e0bd157
Opcode Fuzzy Hash: 6923c55db78119380e5fe35a3321c238481177c04641367e3fdf37507d6e1cbb
Instruction Fuzzy Hash: 5951777460C3C08BE3358B299C557ABBFE29FE2308F48096DE0D95B3D2DA74440AC75A

Function 0040BA80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408A9E), ref: 0040BA86
FreeLibrary.KERNEL32 ref: 0040BAA7

Strings

Wu, xrefs: 0040BA86, 0040BAA7

Memory Dump Source

Source File: 00000000.00000002.1494345886.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1494345886.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H5JVfa61AV.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: 880272bc0811b14ab5181b2bf88990afbeca93da92f698920aa63cdcc06e2724
Instruction ID: 76f8199259777ce60f51c6d99c718f1815bb22ab62b72bec75753df54c08d8dc
Opcode Fuzzy Hash: 880272bc0811b14ab5181b2bf88990afbeca93da92f698920aa63cdcc06e2724
Instruction Fuzzy Hash: E2C0023B8620009BDE857FA0FD898187A31FB4A30531C44B4B80140036DAA20960AA59

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report H5JVfa61AV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_H5JVfa61AV.exe_c079c8b64396d0d72967da28d3d02fefd64b69c5_89c80047_e9df0b74-74fc-491d-adc2-2467fdf6c185\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6DE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9CD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9EE.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
H5JVfa61AV.exe

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Function 00569FB6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0210003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 02100E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON