Edit tour

Windows Analysis Report
L#U043e#U0430d#U0435r.exe

Overview

General Information

Sample name:	L#U043e#U0430d#U0435r.exe renamed because original name is a hash value
Original sample name:	Ldr.exe
Analysis ID:	1591987
MD5:	9308e5d6497e88a58c627c0cf6443203
SHA1:	57d7900725fe4d06dcd53eb937053349233f06e0
SHA256:	d02a9086b3c2f36aaf611c778b60e31705e1d9795d9d8657b6cc78c632dcd7a4
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

L#U043e#U0430d#U0435r.exe (PID: 1616 cmdline: "C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe" MD5: 9308E5D6497E88A58C627C0CF6443203)

WerFault.exe (PID: 3556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 948 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["savorraiykj.lat", "leggelatez.lat", "finickypwk.lat", "shoefeatthe.lat", "miniatureyu.lat", "kickykiduz.lat", "washyceehsu.lat", "bloodyswif.lat", "feerdaiks.biz"], "Build id": "HpOoIh--5defa06fc6ab"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2189061530.0000000000683000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12d8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:07.643220+0100	2028371	3	Unknown Traffic	192.168.2.6	49709	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:06.883688+0100	2059189	1	Domain Observed Used for C2 Detected	192.168.2.6	64172	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:06.963066+0100	2059191	1	Domain Observed Used for C2 Detected	192.168.2.6	54536	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:06.927018+0100	2059199	1	Domain Observed Used for C2 Detected	192.168.2.6	62532	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:06.904976+0100	2059201	1	Domain Observed Used for C2 Detected	192.168.2.6	56849	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:06.916811+0100	2059203	1	Domain Observed Used for C2 Detected	192.168.2.6	55268	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:06.942629+0100	2059207	1	Domain Observed Used for C2 Detected	192.168.2.6	53990	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:06.952157+0100	2059209	1	Domain Observed Used for C2 Detected	192.168.2.6	62847	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:06.895505+0100	2059211	1	Domain Observed Used for C2 Detected	192.168.2.6	65200	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:15:08.093029+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.6	49709	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: L#U043e#U0430d#U0435r.exe

Avira: detected

Antivirus detection for URL or domain

Source: feerdaiks.biz

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.L#U043e#U0430d#U0435r.exe.7c0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["savorraiykj.lat", "leggelatez.lat", "finickypwk.lat", "shoefeatthe.lat", "miniatureyu.lat", "kickykiduz.lat", "washyceehsu.lat", "bloodyswif.lat", "feerdaiks.biz"], "Build id": "HpOoIh--5defa06fc6ab"}

Multi AV Scanner detection for submitted file

Source: L#U043e#U0430d#U0435r.exe	ReversingLabs: Detection: 73%
Source: L#U043e#U0430d#U0435r.exe	Virustotal: Detection: 71%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: L#U043e#U0430d#U0435r.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: finickypwk.lat
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: shoefeatthe.lat
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: savorraiykj.lat
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: kickykiduz.lat
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: miniatureyu.lat
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: leggelatez.lat
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: washyceehsu.lat
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: bloodyswif.lat
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: feerdaiks.biz
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--5defa06fc6ab

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Unpacked PE file: 0.2.L#U043e#U0430d#U0435r.exe.400000.0.unpack

Source: L#U043e#U0430d#U0435r.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov esi, edx	0_2_00408740
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_0042E002
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_0042E002
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	0_2_004161DF
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+63115D0Dh]	0_2_004251E8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	0_2_004082A0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then push eax	0_2_00440310
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov eax, dword ptr [00448B08h]	0_2_004273A0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1Ch]	0_2_004273A0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then lea eax, dword ptr [esp+50h]	0_2_004273A0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax]	0_2_00417451
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407400
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407400
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7E3E42A0h	0_2_0043C410
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then push esi	0_2_0043C410
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042D420
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042B430
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	0_2_0042E5C2
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	0_2_004165EE
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_00415590
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov edx, ecx	0_2_004095A0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	0_2_0041F710
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000DEh]	0_2_0041F710
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_004427E0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042E7EB
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042F799
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	0_2_00429871
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov ecx, eax	0_2_0042A810
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then jmp eax	0_2_004288BA
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	0_2_00402940
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+0Eh]	0_2_0040A910
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+32DBB3B0h]	0_2_00427A50
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then push dword ptr [esp+28h]	0_2_00426A00
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+05CAF138h]	0_2_0040BA29
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00438AF0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_0041AA90
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_0041AA90
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then push 00000000h	0_2_0040CB44
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2564CAB9h]	0_2_0043EB00
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 4x nop then mov ecx, eax	0_2_00420B10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.2.6:56849 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.2.6:53990 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.2.6:64172 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.2.6:54536 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.2.6:55268 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.2.6:62847 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.6:65200 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.2.6:62532 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49709 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: savorraiykj.lat
Source: Malware configuration extractor	URLs: leggelatez.lat
Source: Malware configuration extractor	URLs: finickypwk.lat
Source: Malware configuration extractor	URLs: shoefeatthe.lat
Source: Malware configuration extractor	URLs: miniatureyu.lat
Source: Malware configuration extractor	URLs: kickykiduz.lat
Source: Malware configuration extractor	URLs: washyceehsu.lat
Source: Malware configuration extractor	URLs: bloodyswif.lat
Source: Malware configuration extractor	URLs: feerdaiks.biz

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: //.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189241451.000000000071E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https: equals www.youtube.com (Youtube)
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: n.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; obje equals www.youtube.com (Youtube)
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=62c260756d799ca3731bb489; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 15 Jan 2025 15:15:08 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: feerdaiks.biz
Source: global traffic	DNS traffic detected: DNS query: bloodyswif.lat
Source: global traffic	DNS traffic detected: DNS query: washyceehsu.lat
Source: global traffic	DNS traffic detected: DNS query: leggelatez.lat
Source: global traffic	DNS traffic detected: DNS query: miniatureyu.lat
Source: global traffic	DNS traffic detected: DNS query: kickykiduz.lat
Source: global traffic	DNS traffic detected: DNS query: savorraiykj.lat
Source: global traffic	DNS traffic detected: DNS query: shoefeatthe.lat
Source: global traffic	DNS traffic detected: DNS query: finickypwk.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=I8QM230l1pb_&a
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=dK492ur3
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=ugSp
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=gOyfgA0bHRkL&am
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: https://help.st
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152474067.0000000000704000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189197450.0000000000704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900$
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152474067.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Code function: 0_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004363E0

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Code function: 0_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004363E0

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Code function: 0_2_00436590 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

0_2_00436590

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2189061530.0000000000683000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A5B	0_3_00726A5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A5B	0_3_00726A5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A5B	0_3_00726A5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EDD	0_3_00726EDD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EDD	0_3_00726EDD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EDD	0_3_00726EDD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EC8	0_3_00726EC8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EC8	0_3_00726EC8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EC8	0_3_00726EC8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A9B	0_3_00726A9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A9B	0_3_00726A9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A9B	0_3_00726A9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A969	0_3_0072A969
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A969	0_3_0072A969
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A969	0_3_0072A969
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5B	0_3_00726B5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5B	0_3_00726B5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5B	0_3_00726B5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5D	0_3_00726B5D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5D	0_3_00726B5D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5D	0_3_00726B5D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00727522	0_3_00727522
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00727522	0_3_00727522
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00727522	0_3_00727522
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B1B	0_3_00726B1B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B1B	0_3_00726B1B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B1B	0_3_00726B1B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A7C6	0_3_0072A7C6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A7C6	0_3_0072A7C6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A7C6	0_3_0072A7C6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B9B	0_3_00726B9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B9B	0_3_00726B9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B9B	0_3_00726B9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A5B	0_3_00726A5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A5B	0_3_00726A5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A5B	0_3_00726A5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EDD	0_3_00726EDD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EDD	0_3_00726EDD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EDD	0_3_00726EDD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EC8	0_3_00726EC8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EC8	0_3_00726EC8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EC8	0_3_00726EC8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A9B	0_3_00726A9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A9B	0_3_00726A9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A9B	0_3_00726A9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A969	0_3_0072A969
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A969	0_3_0072A969
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A969	0_3_0072A969
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5B	0_3_00726B5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5B	0_3_00726B5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5B	0_3_00726B5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5D	0_3_00726B5D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5D	0_3_00726B5D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5D	0_3_00726B5D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00727522	0_3_00727522
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00727522	0_3_00727522
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00727522	0_3_00727522
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B1B	0_3_00726B1B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B1B	0_3_00726B1B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B1B	0_3_00726B1B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A7C6	0_3_0072A7C6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A7C6	0_3_0072A7C6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A7C6	0_3_0072A7C6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B9B	0_3_00726B9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B9B	0_3_00726B9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B9B	0_3_00726B9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A5B	0_3_00726A5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A5B	0_3_00726A5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A5B	0_3_00726A5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EDD	0_3_00726EDD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EDD	0_3_00726EDD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EDD	0_3_00726EDD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EC8	0_3_00726EC8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EC8	0_3_00726EC8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726EC8	0_3_00726EC8
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A9B	0_3_00726A9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A9B	0_3_00726A9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726A9B	0_3_00726A9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A969	0_3_0072A969
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A969	0_3_0072A969
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A969	0_3_0072A969
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5B	0_3_00726B5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5B	0_3_00726B5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5B	0_3_00726B5B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5D	0_3_00726B5D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5D	0_3_00726B5D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B5D	0_3_00726B5D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00727522	0_3_00727522
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00727522	0_3_00727522
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00727522	0_3_00727522
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B1B	0_3_00726B1B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B1B	0_3_00726B1B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B1B	0_3_00726B1B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A7C6	0_3_0072A7C6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A7C6	0_3_0072A7C6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072A7C6	0_3_0072A7C6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B9B	0_3_00726B9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B9B	0_3_00726B9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00726B9B	0_3_00726B9B
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00408740	0_2_00408740
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00440A0D	0_2_00440A0D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0040AE60	0_2_0040AE60
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00430050	0_2_00430050
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00411078	0_2_00411078
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004270D0	0_2_004270D0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00436140	0_2_00436140
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0043912C	0_2_0043912C
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004091C0	0_2_004091C0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004161DF	0_2_004161DF
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004311E6	0_2_004311E6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00432188	0_2_00432188
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00406190	0_2_00406190
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0042F195	0_2_0042F195
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004421B0	0_2_004421B0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0041E250	0_2_0041E250
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0041B200	0_2_0041B200
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004042D0	0_2_004042D0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004082A0	0_2_004082A0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004412B1	0_2_004412B1
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0041C370	0_2_0041C370
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004273A0	0_2_004273A0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00420440	0_2_00420440
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00410446	0_2_00410446
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00417451	0_2_00417451
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00442460	0_2_00442460
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00419470	0_2_00419470
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00407400	0_2_00407400
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0043C410	0_2_0043C410
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0040E4B0	0_2_0040E4B0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0041A574	0_2_0041A574
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004245C0	0_2_004245C0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004165EE	0_2_004165EE
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00415590	0_2_00415590
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004095A0	0_2_004095A0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00406620	0_2_00406620
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0040D690	0_2_0040D690
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00418690	0_2_00418690
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0043974A	0_2_0043974A
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00419710	0_2_00419710
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0041F710	0_2_0041F710
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0041C7D0	0_2_0041C7D0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004427E0	0_2_004427E0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0043B7B0	0_2_0043B7B0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0042A810	0_2_0042A810
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00433810	0_2_00433810
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004058E0	0_2_004058E0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0042D893	0_2_0042D893
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004148B0	0_2_004148B0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_004288BA	0_2_004288BA
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00415975	0_2_00415975
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0040A910	0_2_0040A910
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00441910	0_2_00441910
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00403920	0_2_00403920
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00427A50	0_2_00427A50
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0041BAD0	0_2_0041BAD0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00433AD0	0_2_00433AD0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00431A88	0_2_00431A88
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0041AA90	0_2_0041AA90
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00442A90	0_2_00442A90
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0041CAA0	0_2_0041CAA0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_0043CAA7	0_2_0043CAA7
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00441B40	0_2_00441B40
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00420B10	0_2_00420B10
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00402B20	0_2_00402B20
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_2_00411B20	0_2_00411B20

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: String function: 00413E40 appears 101 times
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: String function: 00407F90 appears 36 times

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 948

Source: L#U043e#U0430d#U0435r.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2189061530.0000000000683000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: L#U043e#U0430d#U0435r.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@10/1

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Code function: 0_2_00430050 CoCreateInstance,

0_2_00430050

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1616

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\39bd7187-ec94-427b-9d8a-ef4b85134da4

Jump to behavior

Source: L#U043e#U0430d#U0435r.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: L#U043e#U0430d#U0435r.exe	ReversingLabs: Detection: 73%
Source: L#U043e#U0430d#U0435r.exe	Virustotal: Detection: 71%

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

File read: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe "C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe"
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 948

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Unpacked PE file: 0.2.L#U043e#U0430d#U0435r.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.lofum:W;.yohemu:W;.level:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Unpacked PE file: 0.2.L#U043e#U0430d#U0435r.exe.400000.0.unpack

Source: L#U043e#U0430d#U0435r.exe	Static PE information: section name: .lofum
Source: L#U043e#U0430d#U0435r.exe	Static PE information: section name: .yohemu
Source: L#U043e#U0430d#U0435r.exe	Static PE information: section name: .level

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072AB7F push ds; retf	0_3_0072AB80
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072AB7F push ds; retf	0_3_0072AB80
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072AB7F push ds; retf	0_3_0072AB80
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00724568 pushfd ; iretd	0_3_0072456D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00724568 pushfd ; iretd	0_3_0072456D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00724568 pushfd ; iretd	0_3_0072456D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072D513 push 00000078h; retf	0_3_0072D515
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072D513 push 00000078h; retf	0_3_0072D515
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072D513 push 00000078h; retf	0_3_0072D515
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072AF9F push ds; retf	0_3_0072AFA0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072AF9F push ds; retf	0_3_0072AFA0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072AF9F push ds; retf	0_3_0072AFA0
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072BF87 push cs; iretd	0_3_0072BF88
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072BF87 push cs; iretd	0_3_0072BF88
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072BF87 push cs; iretd	0_3_0072BF88
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006D8078 push esp; ret	0_3_006D807D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006DBE44 pushfd ; ret	0_3_006DBE58
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006DC95E push eax; iretd	0_3_006DC960
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006DD831 push esp; iretd	0_3_006DD833
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006DD611 push cs; ret	0_3_006DD61A
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006DB3F6 push esi; retf	0_3_006DB420
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006DC6D7 push ebp; retf	0_3_006DC6DA
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006DD6A9 pushfd ; retf	0_3_006DD717
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006DBAA5 push esi; iretd	0_3_006DBAA6
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006E208F push ebp; ret	0_3_006E2134
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_006DC59B push esi; iretd	0_3_006DC5AD
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072AB7F push ds; retf	0_3_0072AB80
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072AB7F push ds; retf	0_3_0072AB80
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_0072AB7F push ds; retf	0_3_0072AB80
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00724568 pushfd ; iretd	0_3_0072456D
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe	Code function: 0_3_00724568 pushfd ; iretd	0_3_0072456D

Source: L#U043e#U0430d#U0435r.exe

Static PE information: section name: .text entropy: 7.417154688072741

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe TID: 7068	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe TID: 7068	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152474067.0000000000704000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189197450.0000000000704000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Code function: 0_2_004402D0 LdrInitializeThunk,

0_2_004402D0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: finickypwk.lat
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: shoefeatthe.lat
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: savorraiykj.lat
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: kickykiduz.lat
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: miniatureyu.lat
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: leggelatez.lat
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: washyceehsu.lat
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: bloodyswif.lat
Source: L#U043e#U0430d#U0435r.exe	String found in binary or memory: feerdaiks.biz

Source: C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
L#U043e#U0430d#U0435r.exe	74%	ReversingLabs	Win32.Trojan.LummaStealer
L#U043e#U0430d#U0435r.exe	72%	Virustotal		Browse
L#U043e#U0430d#U0435r.exe	100%	Avira	HEUR/AGEN.1312567
L#U043e#U0430d#U0435r.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
feerdaiks.biz	100%	Avira URL Cloud	malware
https://help.st	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
finickypwk.lat	unknown	unknown	true	unknown
washyceehsu.lat	unknown	unknown	true	unknown
kickykiduz.lat	unknown	unknown	true	unknown
bloodyswif.lat	unknown	unknown	true	unknown
shoefeatthe.lat	unknown	unknown	true	unknown
savorraiykj.lat	unknown	unknown	true	unknown
feerdaiks.biz	unknown	unknown	true	unknown
miniatureyu.lat	unknown	unknown	true	unknown
leggelatez.lat	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bloodyswif.lat	false		high
washyceehsu.lat	false		high
leggelatez.lat	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
kickykiduz.lat	false		high
savorraiykj.lat	false		high
miniatureyu.lat	false		high
feerdaiks.biz	true	Avira URL Cloud: malware	unknown
finickypwk.lat	false		high
shoefeatthe.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900$	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152474067.0000000000704000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189197450.0000000000704000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=gOyfgA0bHRkL&am	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=ugSp	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152474067.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://store.steampowered.com/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=I8QM230l1pb_&a	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=dK492ur3	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000002.2189092797.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.st	L#U043e#U0430d#U0435r.exe	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L#U043e#U0430d#U0435r.exe, 00000000.00000003.2152435443.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591987
Start date and time:	2025-01-15 16:14:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	L#U043e#U0430d#U0435r.exe renamed because original name is a hash value
Original Sample Name:	Ldr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 9 Number of non-executed functions: 94
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.190.159.68, 13.107.253.45, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:15:05	API Interceptor	3x Sleep call for process: L#U043e#U0430d#U0435r.exe modified
10:15:10	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	23.47.27.74
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	104.102.49.254
	92.255.57_1.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	104.102.49.254
	62.122.184.98 (3).ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	lumma1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	random.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	yTRd6nkLWV.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	XhlpAnBmIk.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	arm4.elf	Get hash	malicious	Mirai	Browse	23.3.198.114
	https://drive.google.com/file/d/1dNrtjTqb59ZQTE3gUuVhSjEbFXuJRXW7/view?usp=sharing&ts=6786e61f	Get hash	malicious	Unknown	Browse	23.201.255.95
	178.215.238.129-x86-2025-01-15T04_59_51.elf	Get hash	malicious	Mirai	Browse	23.54.60.112
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	23.47.27.74
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	104.102.49.254
	92.255.57_1.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	mips.elf	Get hash	malicious	Mirai	Browse	23.54.60.125
	EXTERNAL Your company's credit limit has changed!.msg	Get hash	malicious	Unknown	Browse	184.28.89.29
	https://sreamconmymnltty.com/scerty/bliun/bolop	Get hash	malicious	Unknown	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Adobe-Acrobat-Pro-2025.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	Set-Up.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	104.102.49.254
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	104.102.49.254
	138745635-72645747.116.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	92.255.57_1.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	2834573-3676874985.02.exe	Get hash	malicious	Unknown	Browse	104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_L#U043e#U0430d#U_bb8376acd516e20e7ba29a2665f67f3c7f940bd_2e73e446_e8115ced-c55f-4f6c-a2ad-05d6679b80e3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.971021131579452
Encrypted:	false
SSDEEP:	192:ghpbdYC9X5cdU3v0GuRgzBjsFRzuiFxZ24IO8gc3:ARxOXGuRojIzuiFxY4IO8j
MD5:	FE761D3D5ABBA63A6985CA1840409905
SHA1:	599C768EB7D5125F82D984D55D2412EB5B7D9788
SHA-256:	1034DCDD81E7DFCBDF8B1BCAB2A4D8FFD913A018F05C35538A8752C51F79B8BD
SHA-512:	A4929354ACF8AFB2AB785D32C4DF220007A63547E5D27C3C20AA993D61D45127B8AA0B23A83D26EB0FCE632BB8AFBB7EDA87E07337A3237903A500EAACA7E3D2
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.2.7.7.0.7.9.0.7.5.1.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.2.7.7.0.8.2.9.8.1.4.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.1.1.5.c.e.d.-.c.5.5.f.-.4.f.6.c.-.a.2.a.d.-.0.5.d.6.6.7.9.b.8.0.e.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.3.0.5.d.e.1.-.1.e.1.c.-.4.d.a.b.-.b.3.0.6.-.e.a.d.1.b.1.3.8.e.3.b.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.#.U.0.4.3.e.#.U.0.4.3.0.d.#.U.0.4.3.5.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.5.0.-.0.0.0.1.-.0.0.1.5.-.4.0.6.a.-.2.4.4.0.6.0.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.4.7.4.5.7.6.8.1.8.4.f.1.e.3.3.e.7.b.9.8.9.a.9.d.e.5.b.b.9.4.7.0.0.0.0.f.f.f.f.!.0.0.0.0.5.7.d.7.9.0.0.7.2.5.f.e.4.d.0.6.d.c.d.5.3.e.b.9.3.7.0.5.3.3.4.9.2.3.3.f.0.6.e.0.!.L.#.U.0.4.3.e.#.U.0.4.3.0.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65B7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jan 15 15:15:08 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	45645
Entropy (8bit):	2.5910718379270077
Encrypted:	false
SSDEEP:	192:10N5bXK4ATdMlrtEGrOp1BWW9kd4wA/kitg2P3IFTWLs3MLZ6aDs5P43285KEJBx:HdMlrtEl7BWW9kqy4A0s8LZZxeELx
MD5:	1155E2AE367A6819AA8873D368BBE38B
SHA1:	86C7B64D586E73B539971E90B74BD48235580E27
SHA-256:	B41E34DDAE80E90510479BD9698799FF3470A3D191B36E0E26DFC603110779E3
SHA-512:	0BF7E155E212E1D639648A62D92DB0E0FFEF1E9103C8F38F19B6C61F7E037EF1E36894E7EE42A63BEEF012883D7ED0884EB178589F68A2751E9D0EB96FEED565
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........g............4...............H...........<.......D...B-..........`.......8...........T........... @..-r......................................................................................................eJ......\ ......GenuineIntel............T.......P.....g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6684.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8374
Entropy (8bit):	3.7018434762861405
Encrypted:	false
SSDEEP:	192:R6l7wVeJB0Q6hP6Y2DNSUMgmfKzfUypDr89baSsfl6em:R6lXJF6hP6YwSUMgmfsCaRfk
MD5:	5E85B3D79839AA8834393277BF9A1CBF
SHA1:	EA9592C84180A77A40D84DA5E556E817F94C2C63
SHA-256:	3ADB5CB0028248790992233D2995F6F57206E9390B599F2FB7252D5A3AE46466
SHA-512:	492DEA2F882C553C2D0928B83339767593DDF90D59932FEBA19478DA2144872F541AEA17EE9822E729F27081BC8D7E3BA8244F5051F562F571669BAD332863FC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66B3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4656
Entropy (8bit):	4.498351442889425
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg77aI9CcyWpW8VYLYm8M4J4IX73FI6+q8nJGTjMnHn0d:uIjfZI7MU7VPJE61WH0d
MD5:	879FEE6FF724A4FDBEA0D022AFE1B931
SHA1:	FF5CB87DB1876F555BD99E5DA600E4D2CA35FF44
SHA-256:	958AA7A4C37133C00B6B5F5899E439F00CA58F771F21642FBFB23C5F14EEEC0C
SHA-512:	90F9F9D4855769AB64C11D0A4658E248C4A7BE05226652ED0BF0F649B1D4B9A6900CAC88C70A9B1721E1B968F11F60E0A0912BEB180BA763AE53D6DE07E31C3B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677177" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468721542550592
Encrypted:	false
SSDEEP:	6144:jzZfpi6ceLPx9skLmb0fSZWSP3aJG8nAgeiJRMMhA2zX4WABluuNEjDH5S:fZHtSZWOKnMM6bFpmj4
MD5:	15F45839C7D8CB54EBFE39F995B627C8
SHA1:	A08600E7FD62B04BEAA6D4B5482577C48E1F4D82
SHA-256:	2CC2D4C7C65BDC87703E4656DB82954B65855B18991454D0154EB9527B3ED091
SHA-512:	0BBF91A53C9EA4822370F482CA1FB45590AB454A00F9648FCA72E0F7231BE263AB15F616BC32A01899C1434C7621C43C25594B33EC7B76CB95FE852E3428C16E
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...B`g.................................................................................................................................................................................................................................................................................................................................................v........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.713902278382497
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	L#U043e#U0430d#U0435r.exe
File size:	399'360 bytes
MD5:	9308e5d6497e88a58c627c0cf6443203
SHA1:	57d7900725fe4d06dcd53eb937053349233f06e0
SHA256:	d02a9086b3c2f36aaf611c778b60e31705e1d9795d9d8657b6cc78c632dcd7a4
SHA512:	69ed6a0cd0f5e49608c2390d8906a9d5df3308eae71b9a46c763f4e1cde4230f8e12c15d0e307172466e974f5b977cb4b7b5bd26b0a46e2e1813f203afecab27
SSDEEP:	6144:oNZ0QfBd5W4QjTybTsqTECJjGpb7StUNoa:62QfhW3oTspC9Gp+tUN
TLSH:	ED84AE5262E1FC84F6BB8A335E3985A4E6AFB461FF64729B3124161F08731E1C47B712
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................Rich............PE..L.....Ye.................4.

File Icon


Icon Hash:	738733b1839b8be8

Static PE Info

General

Entrypoint:	0x4017f5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6559BCB6 [Sun Nov 19 07:43:50 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a1bd37f832788bc8010796b59678148d

Entrypoint Preview

Instruction
call 00007FE00C515F96h
jmp 00007FE00C5124FDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [004495D0h], eax
mov dword ptr [004495CCh], ecx
mov dword ptr [004495C8h], edx
mov dword ptr [004495C4h], ebx
mov dword ptr [004495C0h], esi
mov dword ptr [004495BCh], edi
mov word ptr [004495E8h], ss
mov word ptr [004495DCh], cs
mov word ptr [004495B8h], ds
mov word ptr [004495B4h], es
mov word ptr [004495B0h], fs
mov word ptr [004495ACh], gs
pushfd
pop dword ptr [004495E0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004495D4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004495D8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004495E4h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00449520h], 00010001h
mov eax, dword ptr [004495D8h]
mov dword ptr [004494D4h], eax
mov dword ptr [004494C8h], C0000409h
mov dword ptr [004494CCh], 00000001h
mov eax, dword ptr [00448008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0044800Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000B4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x46a4c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x15880	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x45000	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x432fc	0x43400	37b050e40f1f1ef168d186d596d99d6d	False	0.8140211140799256	data	7.417154688072741	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x45000	0x2338	0x2400	1be5c623016a8c317f1913897c401b7f	False	0.3675130208333333	data	5.449916010675149	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x48000	0x67c1c	0x1600	a67e735cfc3e485ef827ed18e38cd3d8	False	0.2869318181818182	data	2.9024908914842666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.lofum	0xb0000	0x53e5	0x4800	f9debe3f07be68533bf0295e3d2ba68a	False	0.002224392361111111	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.yohemu	0xb6000	0x15a	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.level	0xb7000	0xc	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x15880	0x15a00	9b9edb1e8bc332c04aba8a87c1619883	False	0.36595691835260113	data	4.506667906299856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0xc8af8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4276315789473684
RT_ICON	0xb88a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.2726545842217484
RT_ICON	0xb9748	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.40884476534296027
RT_ICON	0xb9ff0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5241935483870968
RT_ICON	0xba6b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5744219653179191
RT_ICON	0xbac20	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4237551867219917
RT_ICON	0xbd1c8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.4967213114754098
RT_ICON	0xbdb50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.4973404255319149
RT_ICON	0xbe020	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.32409381663113007
RT_ICON	0xbeec8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4481046931407942
RT_ICON	0xbf770	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5086405529953917
RT_ICON	0xbfe38	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5252890173410405
RT_ICON	0xc03a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.28846153846153844
RT_ICON	0xc1448	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.2905737704918033
RT_ICON	0xc1dd0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.33687943262411346
RT_ICON	0xc22a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.2822494669509595
RT_ICON	0xc3148	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.36823104693140796
RT_ICON	0xc39f0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.3721198156682028
RT_ICON	0xc40b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.3800578034682081
RT_ICON	0xc4620	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.25746887966804977
RT_ICON	0xc6bc8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.2767354596622889
RT_ICON	0xc7c70	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.2913934426229508
RT_ICON	0xc85f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.325354609929078
RT_STRING	0xc8df8	0x414	data	0.45689655172413796
RT_STRING	0xc9210	0xcc	data	0.5833333333333334
RT_STRING	0xc92e0	0x538	data	0.4528443113772455
RT_STRING	0xc9818	0x548	data	0.44970414201183434
RT_STRING	0xc9d60	0x75e	data	0.4247083775185578
RT_STRING	0xca4c0	0x7d4	data	0.42115768463073855
RT_STRING	0xcac98	0x61e	data	0.4450830140485313
RT_STRING	0xcb2b8	0x4d4	data	0.46682847896440127
RT_STRING	0xcb790	0x6d4	data	0.4279176201372998
RT_STRING	0xcbe68	0x698	data	0.4312796208530806
RT_STRING	0xcc500	0x702	data	0.4258639910813824
RT_STRING	0xccc08	0x56e	data	0.4503597122302158
RT_STRING	0xcd178	0x706	data	0.42658509454949944
RT_ACCELERATOR	0xc8ad8	0x20	data	1.15625
RT_GROUP_CURSOR	0xc8c28	0x14	data	1.15
RT_GROUP_ICON	0xbdfb8	0x68	data	0.7115384615384616
RT_GROUP_ICON	0xc8a60	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xc2238	0x68	data	0.7115384615384616
RT_VERSION	0xc8c40	0x1b4	data	0.5848623853211009

Imports

DLL

Import

KERNEL32.dll

SetThreadContext, DebugActiveProcessStop, CreateProcessW, SetWaitableTimer, SetDefaultCommConfigW, GetEnvironmentStringsW, SetComputerNameW, GetTimeFormatA, GetProcessPriorityBoost, GetModuleHandleW, GetCurrentThread, SetFileTime, GetEnvironmentStrings, LoadLibraryW, GetSystemTimeAdjustment, GetVersionExW, GetConsoleAliasW, GetAtomNameW, GetVolumePathNameA, GetStartupInfoW, GetStartupInfoA, Module32First, SetLastError, GetProcAddress, GetLongPathNameA, SearchPathA, SetFileAttributesA, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, MoveFileA, AddAtomA, FindAtomA, FoldStringA, SetLocaleInfoW, OpenFileMappingW, FindFirstVolumeA, DeleteTimerQueueTimer, Sleep, ExitProcess, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, GetStdHandle, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsA, FreeEnvironmentStringsW, SetHandleCount, GetFileType, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualAlloc, HeapReAlloc, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, SetFilePointer, SetStdHandle, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, CreateFileA, CloseHandle, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetModuleHandleA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T16:15:06.883688+0100	2059189	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)	1	192.168.2.6	64172	1.1.1.1	53	UDP
2025-01-15T16:15:06.895505+0100	2059211	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)	1	192.168.2.6	65200	1.1.1.1	53	UDP
2025-01-15T16:15:06.904976+0100	2059201	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)	1	192.168.2.6	56849	1.1.1.1	53	UDP
2025-01-15T16:15:06.916811+0100	2059203	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)	1	192.168.2.6	55268	1.1.1.1	53	UDP
2025-01-15T16:15:06.927018+0100	2059199	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)	1	192.168.2.6	62532	1.1.1.1	53	UDP
2025-01-15T16:15:06.942629+0100	2059207	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)	1	192.168.2.6	53990	1.1.1.1	53	UDP
2025-01-15T16:15:06.952157+0100	2059209	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)	1	192.168.2.6	62847	1.1.1.1	53	UDP
2025-01-15T16:15:06.963066+0100	2059191	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)	1	192.168.2.6	54536	1.1.1.1	53	UDP
2025-01-15T16:15:07.643220+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49709	104.102.49.254	443	TCP
2025-01-15T16:15:08.093029+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.6	49709	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 16:15:06.986368895 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:06.986423016 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:06.986515999 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:06.989938974 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:06.989954948 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:07.642990112 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:07.643219948 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:07.646675110 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:07.646703959 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:07.647177935 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:07.686984062 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:07.695925951 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:07.743335009 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.093193054 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.093256950 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.093322992 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.093334913 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.093344927 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:08.093344927 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:08.093353987 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.093377113 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.093396902 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:08.093396902 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:08.093424082 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:08.175460100 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.175523043 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.175571918 CET	443	49709	104.102.49.254	192.168.2.6
Jan 15, 2025 16:15:08.175590992 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:08.175637960 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:08.176935911 CET	49709	443	192.168.2.6	104.102.49.254
Jan 15, 2025 16:15:08.176966906 CET	443	49709	104.102.49.254	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 16:15:06.871031046 CET	49240	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.880300045 CET	53	49240	1.1.1.1	192.168.2.6
Jan 15, 2025 16:15:06.883687973 CET	64172	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.892678976 CET	53	64172	1.1.1.1	192.168.2.6
Jan 15, 2025 16:15:06.895504951 CET	65200	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.903906107 CET	53	65200	1.1.1.1	192.168.2.6
Jan 15, 2025 16:15:06.904975891 CET	56849	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.914496899 CET	53	56849	1.1.1.1	192.168.2.6
Jan 15, 2025 16:15:06.916810989 CET	55268	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.925693035 CET	53	55268	1.1.1.1	192.168.2.6
Jan 15, 2025 16:15:06.927017927 CET	62532	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.941730022 CET	53	62532	1.1.1.1	192.168.2.6
Jan 15, 2025 16:15:06.942629099 CET	53990	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.951234102 CET	53	53990	1.1.1.1	192.168.2.6
Jan 15, 2025 16:15:06.952157021 CET	62847	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.960746050 CET	53	62847	1.1.1.1	192.168.2.6
Jan 15, 2025 16:15:06.963066101 CET	54536	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.971628904 CET	53	54536	1.1.1.1	192.168.2.6
Jan 15, 2025 16:15:06.974412918 CET	57483	53	192.168.2.6	1.1.1.1
Jan 15, 2025 16:15:06.981849909 CET	53	57483	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 16:15:06.871031046 CET	192.168.2.6	1.1.1.1	0xbd32	Standard query (0)	feerdaiks.biz	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.883687973 CET	192.168.2.6	1.1.1.1	0x75e	Standard query (0)	bloodyswif.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.895504951 CET	192.168.2.6	1.1.1.1	0x919b	Standard query (0)	washyceehsu.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.904975891 CET	192.168.2.6	1.1.1.1	0xa34b	Standard query (0)	leggelatez.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.916810989 CET	192.168.2.6	1.1.1.1	0x4655	Standard query (0)	miniatureyu.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.927017927 CET	192.168.2.6	1.1.1.1	0x9d65	Standard query (0)	kickykiduz.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.942629099 CET	192.168.2.6	1.1.1.1	0xe64a	Standard query (0)	savorraiykj.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.952157021 CET	192.168.2.6	1.1.1.1	0x197c	Standard query (0)	shoefeatthe.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.963066101 CET	192.168.2.6	1.1.1.1	0x19ed	Standard query (0)	finickypwk.lat	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.974412918 CET	192.168.2.6	1.1.1.1	0xd19	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 16:15:06.880300045 CET	1.1.1.1	192.168.2.6	0xbd32	Name error (3)	feerdaiks.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.892678976 CET	1.1.1.1	192.168.2.6	0x75e	Name error (3)	bloodyswif.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.903906107 CET	1.1.1.1	192.168.2.6	0x919b	Name error (3)	washyceehsu.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.914496899 CET	1.1.1.1	192.168.2.6	0xa34b	Name error (3)	leggelatez.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.925693035 CET	1.1.1.1	192.168.2.6	0x4655	Name error (3)	miniatureyu.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.941730022 CET	1.1.1.1	192.168.2.6	0x9d65	Name error (3)	kickykiduz.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.951234102 CET	1.1.1.1	192.168.2.6	0xe64a	Name error (3)	savorraiykj.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.960746050 CET	1.1.1.1	192.168.2.6	0x197c	Name error (3)	shoefeatthe.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.971628904 CET	1.1.1.1	192.168.2.6	0x19ed	Name error (3)	finickypwk.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:15:06.981849909 CET	1.1.1.1	192.168.2.6	0xd19	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	104.102.49.254	443	1616	C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 15:15:07 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-15 15:15:08 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 15 Jan 2025 15:15:08 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=62c260756d799ca3731bb489; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-15 15:15:08 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-15 15:15:08 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	10:15:02
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\L#U043e#U0430d#U0435r.exe"
Imagebase:	0x400000
File size:	399'360 bytes
MD5 hash:	9308E5D6497E88A58C627C0CF6443203
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2189061530.0000000000683000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2189273226.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:15:07
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 948
Imagebase:	0xb60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40.6%
Total number of Nodes:	64
Total number of Limit Nodes:	2

Executed Functions

Function 00408740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408764
GetCurrentThreadId.KERNEL32 ref: 0040876E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087C0
GetForegroundWindow.USER32 ref: 0040884A
ExitProcess.KERNEL32 ref: 00408A04

Strings

b/7, xrefs: 00408794

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: b/7
API String ID: 4063528623-2085417233
Opcode ID: 9b693b67e90034476b8d362c7defce4ca25c856685dba2b836c9a93424d95a9c
Instruction ID: 0d5a416f21ca3bcde6c043f2d710c8a16f1e6c6a059847071c546a7df00bc279
Opcode Fuzzy Hash: 9b693b67e90034476b8d362c7defce4ca25c856685dba2b836c9a93424d95a9c
Instruction Fuzzy Hash: EF71FB73A043154BC318EF79CD8576AF6D6ABC5320F0A863DE5C4A73D1EA7898048B85

Function 0040AE60 Relevance: 5.5, Strings: 4, Instructions: 489
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4:, xrefs: 0040B0EF
06, xrefs: 0040B0E5
>;, xrefs: 0040AF4D
SpYv, xrefs: 0040B045

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: >;$SpYv$06$4:
API String ID: 0-3243906123
Opcode ID: 024b7aafbd6db80bab7ebd63ecf29f32219db5f9ace480a1ed8ad5d5f7e30740
Instruction ID: ba3b2f4d1e4dad876d63f93e4022fe59a9fa94051f0befbaffaca00d2fa64594
Opcode Fuzzy Hash: 024b7aafbd6db80bab7ebd63ecf29f32219db5f9ace480a1ed8ad5d5f7e30740
Instruction Fuzzy Hash: 4D0254B5140B00CFD3208F25D895B97BBF5FB8A318F058A2CD5AA4BB90D779A405CF95

Function 004402D0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00443370,00000002,00000018,?,?,00000018,?,?,?), ref: 004402FE

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00440A0D Relevance: 1.5, Strings: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(?l, xrefs: 00440AE7, 00440BFC

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: InitializeThunk
String ID: (?l
API String ID: 2994545307-3586509061
Opcode ID: 2e8bdb8959942972748b7fc4cb2777a4a4b0d8d6c190d5fd16f1e09c982bb9eb
Instruction ID: c528c2ca4be2e476e1abc7d903b0acb0bac1af5d968177d182933651f6946a82
Opcode Fuzzy Hash: 2e8bdb8959942972748b7fc4cb2777a4a4b0d8d6c190d5fd16f1e09c982bb9eb
Instruction Fuzzy Hash: F561F871A002218BDB18CF64C89177BB7B2FF99314F0A826DD646AB3A5D7799C01C798

Function 004406A2 Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004406A2
GetForegroundWindow.USER32 ref: 004406B1

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: cd25495a08ae7a881a864ea32b03c02376aebc77bdf23d09393fa069b7b014e1
Instruction ID: ab39d18eea59de8c0b680b80bbae726c1476b453b8e9e2f579cb72a53367ea8f
Opcode Fuzzy Hash: cd25495a08ae7a881a864ea32b03c02376aebc77bdf23d09393fa069b7b014e1
Instruction Fuzzy Hash: 4AD0C7F95905018FD705D771BD8542A36397A4620D38C903DF50741613FD35502A8B5B

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B51C,00000000,00000001), ref: 00440292

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
Instruction ID: 9d73e3fc9da24b4a25dc6ea464106973b4d99c6e73c38ef93f1a8f1a834cd47d
Opcode Fuzzy Hash: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
Instruction Fuzzy Hash: EFF0203A909200EBE2006F2ABC05A173668BF8A325F020876F000D31A5D738E8218A9B

Function 0043E860 Relevance: 1.5, APIs: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B51C,00000000,00000001), ref: 0043E87E

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
Instruction ID: edab8ee5216d5c962334db0beb90db3a31f2e897247f77843e17d527c4ab1b3a
Opcode Fuzzy Hash: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
Instruction Fuzzy Hash: F0D0A734188121DFD7005F14FC05B873758DF0A351F020872B404AB1B5C234EC50C69C

Function 0040A612 Relevance: 1.5, APIs: 1, Instructions: 12
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 0040A620

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 2363c92990a5a7fca1b3864791137cece6c7d81b7042baa60a2eb535476d38a5
Instruction ID: 11200f545d227c37396d64d573f745233cbce6e469bc63623b58ecbfd5408996
Opcode Fuzzy Hash: 2363c92990a5a7fca1b3864791137cece6c7d81b7042baa60a2eb535476d38a5
Instruction Fuzzy Hash: C7C08C342903A897D3089B96CC0FE163E1EDB83688B12401FB401022EBDAA230198AA6

Function 0043E840 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,67660564,00408969,67660564), ref: 0043E850

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
Instruction ID: 1c12cdc91dcc22cd6618a30bc84945b256d08a32317763a8f107efb347479c5b
Opcode Fuzzy Hash: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
Instruction Fuzzy Hash: E4C09B31145120ABD5103F15FC05FC67F64DF45391F010465B00467076C760BC91C6DD

Non-executed Functions

Function 00411B20 Relevance: 152.4, APIs: 4, Strings: 82, Instructions: 1908COMMON

Download Yara Rule

Strings

6, xrefs: 00412DEF
A, xrefs: 0041337C
x, xrefs: 0041348C
u, xrefs: 004134BC
], xrefs: 00412E07
;, xrefs: 00412590
!, xrefs: 0041314B
_, xrefs: 00412E17
a, xrefs: 00411D5E
j, xrefs: 00412E1F
\, xrefs: 0041317B
3, xrefs: 0041309B
k, xrefs: 0041343C
(, xrefs: 00412DFF
t, xrefs: 00411B81
[, xrefs: 00412E37
g, xrefs: 0041341C
V, xrefs: 004133DC
m, xrefs: 00411DF4
;, xrefs: 0041312B
e, xrefs: 00412FAA
1, xrefs: 004130AB
8, xrefs: 00412DAF
<, xrefs: 00412DDF
>, xrefs: 0041310B
c, xrefs: 004129C4
w, xrefs: 004134AC
", xrefs: 004130DB
[, xrefs: 0041336C
", xrefs: 004129B0
g, xrefs: 0041347C
=, xrefs: 004127B3
", xrefs: 0041316B
n, xrefs: 004129BA
8, xrefs: 0041303B
Z, xrefs: 00412FAF
0, xrefs: 00412DCF
X, xrefs: 0041339C
,, xrefs: 0041308B
W, xrefs: 004131AB
U, xrefs: 0041338C
q, xrefs: 00411F00
m, xrefs: 00412E0F
Z, xrefs: 00412E2F
>, xrefs: 004130FB
B, xrefs: 0041335C
3, xrefs: 0041307B
Y, xrefs: 00412E27
3, xrefs: 00412502
C, xrefs: 00412DF7
S, xrefs: 00412228
:, xrefs: 0041258B
@, xrefs: 0041287E
z, xrefs: 00412C17
W, xrefs: 004133AC
G, xrefs: 00412DD7
#, xrefs: 004129CE
`, xrefs: 00412AFE
|, xrefs: 0041342C
(?l, xrefs: 00412B67, 00413665, 0041373A, 004137B6, 004138C8, 0041393A
`, xrefs: 00411DF9
9, xrefs: 00412586
D, xrefs: 0041382B
}, xrefs: 00411FEB
K, xrefs: 00412DB7
d, xrefs: 00412FA5
E, xrefs: 00412DC7
J, xrefs: 0041288E
6, xrefs: 0041315B
^, xrefs: 004133BC
h, xrefs: 004133EC
}, xrefs: 0041209C
A, xrefs: 00412C12
], xrefs: 004133CC
z, xrefs: 00411C69
i, xrefs: 00411C6E
d, xrefs: 004127E3
h, xrefs: 004127C3
D, xrefs: 004135C3
, xrefs: 00411E7B
L, xrefs: 0041289E
A, xrefs: 00412DE7

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: $!$"$"$"$#$($(?l$,$0$1$3$3$3$6$6$8$8$9$:$;$;$<$=$>$>$@$A$A$A$B$C$D$D$E$G$J$K$L$S$U$V$W$W$X$Y$Z$Z$[$[$\$]$]$^$_$`$`$a$c$d$d$e$g$g$h$h$i$j$k$m$m$n$q$t$u$w$x$z$z$|$}$}
API String ID: 0-2838045690
Opcode ID: 2a97033adb1b1d05a4e5ad0f0b53d8bb5587309d21d8ac6520100bb8b18c4a08
Instruction ID: 117aeaff4c6fbaf4157fdbc60f3db6fb52a806b9f41967a57c6fbeea88178428
Opcode Fuzzy Hash: 2a97033adb1b1d05a4e5ad0f0b53d8bb5587309d21d8ac6520100bb8b18c4a08
Instruction Fuzzy Hash: D503D07160C7C18AD3349B3885443DFBBD1AB96324F188A6EE4E9973D2D7B88981C747

Function 0041CAA0 Relevance: 83.7, Strings: 66, Instructions: 1193COMMON

Download Yara Rule

Strings

P, xrefs: 0041D0FB
[, xrefs: 0041D02B
?, xrefs: 0041D645
[, xrefs: 0041CFDB
:, xrefs: 0041CFAB
b, xrefs: 0041CE93
V, xrefs: 0041D01B
f, xrefs: 0041D013
a, xrefs: 0041CD18
X, xrefs: 0041D0CB
J, xrefs: 0041D10B
., xrefs: 0041D143
>, xrefs: 0041D640
H, xrefs: 0041D0BB
&, xrefs: 0041CCFA
_, xrefs: 0041CFF3
P, xrefs: 0041CFB3
-, xrefs: 0041D63B
\, xrefs: 0041D0EB
R, xrefs: 0041D05B
0, xrefs: 0041CFEB
E, xrefs: 0041D103
P, xrefs: 0041CFCB
7, xrefs: 0041D15B
b, xrefs: 0041CD13
S, xrefs: 0041D053
0, xrefs: 0041D64A
., xrefs: 0041D13B
s, xrefs: 0041D03B
O, xrefs: 0041D083
Y, xrefs: 0041CE60
R, xrefs: 0041CE38
}, xrefs: 0041CF6B
\, xrefs: 0041CFC3
b, xrefs: 0041D033
c, xrefs: 0041CD1D
A, xrefs: 0041D073
R, xrefs: 0041D09B
q, xrefs: 0041CF83
D, xrefs: 0041CF93
d, xrefs: 0041CFD3
f, xrefs: 0041D00B
G, xrefs: 0041D023
], xrefs: 0041D0B3
$, xrefs: 0041CCFF
H, xrefs: 0041D043
n, xrefs: 0041D07B
P, xrefs: 0041D0F3
/, xrefs: 0041CF9B
A, xrefs: 0041D093
H, xrefs: 0041D113
:, xrefs: 0041CD22
H, xrefs: 0041D003
&, xrefs: 0041CCF5
T, xrefs: 0041CFE3
_, xrefs: 0041D0C3
G, xrefs: 0041DB13
N, xrefs: 0041D0E3
u, xrefs: 0041D11B
,, xrefs: 0041D153
%, xrefs: 0041CCF0
8, xrefs: 0041CD0E
z, xrefs: 0041D0AB
, xrefs: 0041D14B
J, xrefs: 0041D0A3
Q, xrefs: 0041CFBB

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: $$$%$&$&$,$-$.$.$/$0$0$7$8$:$:$>$?$A$A$D$E$G$G$H$H$H$H$J$J$N$O$P$P$P$P$Q$R$R$R$S$T$V$X$Y$[$[$\$\$]$_$_$a$b$b$b$c$d$f$f$n$q$s$u$z$}
API String ID: 0-3743354863
Opcode ID: 5e1ca8346b529f0a9eae92fbb8e2aae2df75031782f2171215637c8570fb2fc6
Instruction ID: 2205c5dd49912a15ade75e625562851e5fed45581a7bd861b37c18b6c067c818
Opcode Fuzzy Hash: 5e1ca8346b529f0a9eae92fbb8e2aae2df75031782f2171215637c8570fb2fc6
Instruction Fuzzy Hash: 4AB2BF7160C7C18BC3259A3C889439EBBD16BD6324F084B6EE4E98B3D2D7789845C797

Function 004251E8 Relevance: 34.2, Strings: 27, Instructions: 426COMMON

Download Yara Rule

Strings

T8e>, xrefs: 004259BF
_lYr, xrefs: 00425A4E
)p*v, xrefs: 004258B5
rp, xrefs: 00425431
8>, xrefs: 00425C7F
Rd"j, xrefs: 00425A38
K4l:, xrefs: 00425810
7w, xrefs: 00425345
U\, xrefs: 0042559C
4~|, xrefs: 004256F4
!h#n, xrefs: 00425A43
(X6^, xrefs: 00425A17
BpFv, xrefs: 00425A59
-tz, xrefs: 004258C0
x~, xrefs: 00425BCF
;T&Z, xrefs: 00425A0C
|,X2, xrefs: 0042599E
.D)J, xrefs: 004259E0
G0]6, xrefs: 004259A9
T`Zf, xrefs: 00425A2D
&P%V, xrefs: 00425A01
{x, xrefs: 004258CB
.H>N, xrefs: 004259EB
o<KB, xrefs: 004259CA
`g, xrefs: 004255A7
2{<u, xrefs: 0042533A
tj, xrefs: 00425BF0

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: !h#n$&P%V$(X6^$)p*v$-tz$.D)J$.H>N$2{<u$4~|$7w$;T&Z$BpFv$G0]6$K4l:$Rd"j$T8e>$T`Zf$U\$_lYr$`g$o<KB${x$|,X2$8>$rp$tj$x~
API String ID: 0-2870231824
Opcode ID: bb8f5c017a04f448ec77eaa504b06c268e6e3bd4e83d5db79ec8c788eea25bd9
Instruction ID: 85683be32e8b5f4f428226e946852424525cd865b1790a78dd48afa17569a373
Opcode Fuzzy Hash: bb8f5c017a04f448ec77eaa504b06c268e6e3bd4e83d5db79ec8c788eea25bd9
Instruction Fuzzy Hash: 423208B160C7D48AD334CF14C442BDFBAF2EB92304F40892DC5E96B215D7B6564A8B9B

Function 0043B7B0 Relevance: 21.9, APIs: 10, Strings: 2, Instructions: 851memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(7F7E7D64,00000000,00000001,D3D2D1DD,00000000,?,D3D2D1DD,?,?,?), ref: 0043BB57
SysAllocString.OLEAUT32 ref: 0043BBE2
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,D3D2D1DD,?,?,?), ref: 0043BC20
SysAllocString.OLEAUT32 ref: 0043BC67
SysAllocString.OLEAUT32 ref: 0043BD1F
VariantInit.OLEAUT32(?), ref: 0043BD8D

Strings

qn, xrefs: 0043BCD0
./, xrefs: 0043BDC6

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: ./$qn
API String ID: 65563702-3823645636
Opcode ID: c5f25b5ce48f4ac5767ab17afecd4745c82f4d03acb471f462ee15570475ae4e
Instruction ID: 2f0884b81ea7a4518840af457542ae1764f48caff3a768fe7da6a1d928f758ff
Opcode Fuzzy Hash: c5f25b5ce48f4ac5767ab17afecd4745c82f4d03acb471f462ee15570475ae4e
Instruction Fuzzy Hash: 1F52E172A083508FD718CF28C89176BBBE2EFC9310F14992EE6D59B391D7759805CB86

Function 004161DF Relevance: 16.5, APIs: 4, Strings: 5, Instructions: 726COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?,?,?,?,?,00000000,?), ref: 004164C7

Strings

[T, xrefs: 004163B4
LH, xrefs: 004165FD
GpFv, xrefs: 00416633
AtP, xrefs: 0041663A
LH, xrefs: 0041638A

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: AtP$GpFv$LH$LH$[T
API String ID: 237503144-1191849916
Opcode ID: c45f3d226a3812a6aead361fe9d5df0bfae63227e0163f579f125f00ef532eb5
Instruction ID: 33ac3c3fba2e5f2169ec6e70d98a4de6486b49fd6ba05196e176a44067b630e5
Opcode Fuzzy Hash: c45f3d226a3812a6aead361fe9d5df0bfae63227e0163f579f125f00ef532eb5
Instruction Fuzzy Hash: D83224756007018FC724CF29C8917A3B7F2FF96314B1A85ADD8968B7A1D739E842CB54

Function 00436590 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004365D0
GetSystemMetrics.USER32 ref: 004365E0
DeleteObject.GDI32 ref: 00436623
SelectObject.GDI32 ref: 00436673
SelectObject.GDI32 ref: 004366CA
DeleteObject.GDI32 ref: 004366F8

Strings

AnC, xrefs: 00436743
phC, xrefs: 00436790
, xrefs: 004366A1

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID: $AnC$phC
API String ID: 3911056724-4014303587
Opcode ID: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
Instruction ID: 106fc45ad3404cda282eaa32535b81ccc0e8128c77ede95de355203d1d43b79a
Opcode Fuzzy Hash: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
Instruction Fuzzy Hash: 0461A3B04497848FE760EF68D58978FBBE0BB85304F00892EE5D88B251D7B85458DF4B

Function 00430050 Relevance: 14.6, Strings: 11, Instructions: 875COMMON

Download Yara Rule

Strings

d/C, xrefs: 004308E3
$&C, xrefs: 0043098D
-C, xrefs: 004307A5
F1C, xrefs: 00430805
p+C, xrefs: 00430AD3
:/C, xrefs: 00430C52
:/C, xrefs: 00430C68
d/C, xrefs: 004308CD
u'C, xrefs: 004308F9
B-C, xrefs: 0043094B
%!C, xrefs: 00430961

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: -C$$&C$%!C$:/C$:/C$B-C$F1C$d/C$d/C$p+C$u'C
API String ID: 0-709081256
Opcode ID: 4d4b706c8cc50190ef50d9101eab4c3f35cd948609aa9b3840eb0fcc861dc871
Instruction ID: d9a4a0d359dcb2b16ba7e2780f5c8e827f4dfc1ae0afff22db1dab9ef28774d1
Opcode Fuzzy Hash: 4d4b706c8cc50190ef50d9101eab4c3f35cd948609aa9b3840eb0fcc861dc871
Instruction Fuzzy Hash: 6792A6B0615B809FD3A1CF3DC841793BBE8AB1A301F14496EE1EED7342D775A9408B69

Function 00418690 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 893COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,0041755F), ref: 00418AD7
FreeLibrary.KERNEL32(?), ref: 00418B19

Part of subcall function 004402D0: LdrInitializeThunk.NTDLL(00443370,00000002,00000018,?,?,00000018,?,?,?), ref: 004402FE

Strings

(?l, xrefs: 004186B5, 00418737, 00418790, 00418824, 00418A4A, 00418A80, 00418AF0, 00418B2E, 00418BB4, 00418C7B, 00418D35, 00418D94, 00418E28, 00418ECA, 00419000, 00419157, 004191CB
^_, xrefs: 004189B2
#v, xrefs: 00418AD7, 00418B19
fg$, xrefs: 00418715

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: (?l$^_$#v$fg$
API String ID: 764372645-2555901572
Opcode ID: f12cd0c5abc8b4adf1410694abc52eb15086b7ff71caea00273f36140592bd9d
Instruction ID: 32a26824a101f77e2cdc0b8292c828813d5ce8b95ab05ea660f3df7b5e92ca69
Opcode Fuzzy Hash: f12cd0c5abc8b4adf1410694abc52eb15086b7ff71caea00273f36140592bd9d
Instruction Fuzzy Hash: A36223706083419BE724CB25CC947ABBBA2FFD5314F188A2DF195572E1D774DC828B8A

Function 004245C0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00424698

Strings

=jh, xrefs: 00424622
}z, xrefs: 00424646
D6v4, xrefs: 00424655

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: =jh$D6v4$}z
API String ID: 237503144-2424248051
Opcode ID: 3772b7cab7ce4be730253614f307315e94f3b70fd205065592afc7a9209bc7f1
Instruction ID: 072dcfe1279749a49c563166b893412059df4ddb98baf7635cf88deb1ed00509
Opcode Fuzzy Hash: 3772b7cab7ce4be730253614f307315e94f3b70fd205065592afc7a9209bc7f1
Instruction Fuzzy Hash: E071227560C3509FE7208F24EC4175FBBE4EBC2718F10892DF5A49B291DBB4980A8B96

Function 004363E0 Relevance: 9.1, APIs: 6, Instructions: 130clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436402
GetClipboardData.USER32 ref: 00436423
GlobalLock.KERNEL32 ref: 00436440
GlobalUnlock.KERNEL32 ref: 00436565
CloseClipboard.USER32 ref: 0043656D

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: cd64050f2e6ce8a49e00ce1524363f2ca1729a387b1252b733a2869860975dcd
Instruction ID: b86dd0c9fbfd43ae0b58d105ee5404c8a2eb2c5d505c68a19c0745f829c1e84f
Opcode Fuzzy Hash: cd64050f2e6ce8a49e00ce1524363f2ca1729a387b1252b733a2869860975dcd
Instruction Fuzzy Hash: C941D1B1908B529FD700AF7C988925ABFA0AB06320F05873EE8E5973C6D3389555C797

Function 004165EE Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 363COMMON

Download Yara Rule

Strings

LH, xrefs: 004165FD
GpFv, xrefs: 00416633
AtP, xrefs: 0041663A

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: AtP$GpFv$LH
API String ID: 0-40351562
Opcode ID: c306bb3cbdd6ec008ef7fc3e20834e6d8af5c63d5edea0b955c54c48335885b1
Instruction ID: 6bb0aad597ceb399f229923281458bf5411d9ceb9ec5dfacab6a3e1016280f03
Opcode Fuzzy Hash: c306bb3cbdd6ec008ef7fc3e20834e6d8af5c63d5edea0b955c54c48335885b1
Instruction Fuzzy Hash: 04C1F275200B018FC725CF29C891663B7F2FF96314B1A896ED8968B7A5E778F841CB44

Function 00417451 Relevance: 8.0, Strings: 6, Instructions: 462COMMON

Download Yara Rule

Strings

(?l, xrefs: 00417622, 00417742, 00417828
V]E^, xrefs: 0041746B
KWYb, xrefs: 00417464
R^lf, xrefs: 00417472
puGG, xrefs: 00417479
[NC~, xrefs: 00417480

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l$KWYb$R^lf$V]E^$[NC~$puGG
API String ID: 0-1489766312
Opcode ID: c29bcf31437ee47590e058e1df2d955fbd9be27443022bf6db6281ab6d2cf38d
Instruction ID: 136c07a549b812a85170c773b68f542c8dc67558d112d0f44613d1a83f6642fd
Opcode Fuzzy Hash: c29bcf31437ee47590e058e1df2d955fbd9be27443022bf6db6281ab6d2cf38d
Instruction Fuzzy Hash: 18E16475608601DFC7248F29CC816A777B2FF8A310F19857ED5568B7A1E739E842CB48

Function 00420440 Relevance: 7.9, Strings: 6, Instructions: 435COMMON

Download Yara Rule

Strings

(?l, xrefs: 004204FE, 00420870, 00420A2A
!@, xrefs: 00420473
,, xrefs: 004208BE
~, xrefs: 00420958
y, xrefs: 0042094E
}, xrefs: 00420953

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$(?l$,$y$}$~
API String ID: 1279760036-275304703
Opcode ID: ffbb6c0042c68ac729525926c2e26e2f5a112f15c8cc9d6f67e5ae4b6ebde675
Instruction ID: 2852e8a72792478206081eee7b36556700343e18317fd051797439900b6cc18e
Opcode Fuzzy Hash: ffbb6c0042c68ac729525926c2e26e2f5a112f15c8cc9d6f67e5ae4b6ebde675
Instruction Fuzzy Hash: 20029C7160C3508FD3249F29D48436FBBE1AB85314F948A2EE1D6873D2D7B99885CB4B

Function 0040D690 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 329COMMON

Download Yara Rule

APIs

Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365D0
Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365E0
Part of subcall function 00436590: DeleteObject.GDI32 ref: 00436623
Part of subcall function 00436590: SelectObject.GDI32 ref: 00436673
Part of subcall function 00436590: SelectObject.GDI32 ref: 004366CA
Part of subcall function 00436590: DeleteObject.GDI32 ref: 004366F8

CoUninitialize.OLE32 ref: 0040D6A0

Strings

^_/C, xrefs: 0040D756
TC03, xrefs: 0040D75D
SD, xrefs: 0040D8B8
;d, xrefs: 0040D8B1

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem$Uninitialize
String ID: ;d$SD$TC03$^_/C
API String ID: 1556769885-3729532250
Opcode ID: b66383ab52221ad0062b023f7cbb6e89c25dab7e84f6b845a426a2280be16a7f
Instruction ID: 40ffb7c8dda840b4bdf12d856fc54da81b6c6fcd26267cd1a4ca77b1afe074d2
Opcode Fuzzy Hash: b66383ab52221ad0062b023f7cbb6e89c25dab7e84f6b845a426a2280be16a7f
Instruction Fuzzy Hash: 0DA1F6B56047918FD719CF39C4A0262BFE1FFA7314B28819DC0D64BB86D739A406CB99

Function 0040A910 Relevance: 6.7, Strings: 5, Instructions: 422COMMON

Download Yara Rule

Strings

C|, xrefs: 0040AA00
~|, xrefs: 0040AA08
WR, xrefs: 0040AB42
~Bzx, xrefs: 0040A922
<, xrefs: 0040A9F8

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: <$C|$WR$~Bzx$~|
API String ID: 0-1711356705
Opcode ID: eb618b037da9d4a8f30fd96234d8a315959bb50aef7b878bb8ad7f5f9f0bb039
Instruction ID: c242de3d159764505c2276e72245a45d8931141d93d3f41c6525b63a99f65b4f
Opcode Fuzzy Hash: eb618b037da9d4a8f30fd96234d8a315959bb50aef7b878bb8ad7f5f9f0bb039
Instruction Fuzzy Hash: 3BD1287664C3504BD318CF29885126FBBE3ABC2314F19897EE4D5AB381C779C90A8787

Function 004091C0 Relevance: 6.6, Strings: 5, Instructions: 382COMMON

Download Yara Rule

Strings

IIMC, xrefs: 00409303
C]E[, xrefs: 0040956E
}UW^, xrefs: 00409270
R, xrefs: 004094C6
uP, xrefs: 00409323

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: C]E[$IIMC$R$uP$}UW^
API String ID: 0-892063760
Opcode ID: 205ed248482d7a065e056c637e6f518a5e6eb8ae255233571312f867963e7cbf
Instruction ID: 6cbd51c0248f91b97843e71913ba0166c23e35ea759608a7bc928dd55ed2a06e
Opcode Fuzzy Hash: 205ed248482d7a065e056c637e6f518a5e6eb8ae255233571312f867963e7cbf
Instruction Fuzzy Hash: 7EB1D57164C3919AC3268F29849075BFFE09FD3754F0849ADE4D51B3C2D339894ACB9A

Function 00420B10 Relevance: 5.5, Strings: 4, Instructions: 470COMMON

Download Yara Rule

Strings

_\], xrefs: 00420CD6
p@, xrefs: 00420F26
2$76, xrefs: 00420BD5
745:2$76, xrefs: 00420C04

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: 2$76$745:2$76$_\]$p@
API String ID: 0-2055486527
Opcode ID: 72de75099d2428021de663951be0cdc0c7cee2451cd19565167c9926f89101ca
Instruction ID: d14b64437fda7db03077973c55caa55540a0466a372fa5b5a151a26c722ec16b
Opcode Fuzzy Hash: 72de75099d2428021de663951be0cdc0c7cee2451cd19565167c9926f89101ca
Instruction Fuzzy Hash: 5CD1CF716183508FD724CF64D891BABBBF0EF95318F04882DE98587392E7B9E845CB46

Function 0042A810 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042A8EB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042A97D

Strings

~, xrefs: 0042A832

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ~
API String ID: 237503144-2894255414
Opcode ID: 1c473d725ee859b7bc2214469bc5b5d5224865ddaf137e16565168149a9ffc31
Instruction ID: 0060a675a86d7ee076ee5ed7f34d7278311ae35c8cfae6d949a6dc28de4d3802
Opcode Fuzzy Hash: 1c473d725ee859b7bc2214469bc5b5d5224865ddaf137e16565168149a9ffc31
Instruction Fuzzy Hash: A351FEB56483459FE350DF61AC81A2FBBB9EB86704F00583CF6809B291DBB0D40ACB47

Function 0042F799 Relevance: 5.4, Strings: 4, Instructions: 395COMMON

Download Yara Rule

Strings

0-/?, xrefs: 0042F9D6
;(?>, xrefs: 0042FB00
99C?, xrefs: 0042FB07
$&?3, xrefs: 0042F9CF

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: $&?3$0-/?$99C?$;(?>
API String ID: 0-2409071036
Opcode ID: 0f904baec885a48e33df7b1b7907a05be18de7786bafa3a2f03c938367798e8d
Instruction ID: f66a5fe417f6b708e5f26068a280dd0292c096a76de8314330cd7006a92fc357
Opcode Fuzzy Hash: 0f904baec885a48e33df7b1b7907a05be18de7786bafa3a2f03c938367798e8d
Instruction Fuzzy Hash: 2AD15EB49007419FD720EF39D586752BFF0EB12300F544AAED8EA4B786D334A45ACB96

Function 0041AA90 Relevance: 4.4, Strings: 3, Instructions: 606COMMON

Download Yara Rule

Strings

>j%h, xrefs: 0041B0E5
]Z, xrefs: 0041AEFC
YF, xrefs: 0041B0CB

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: >j%h$YF$]Z
API String ID: 0-4187760579
Opcode ID: f3650962084d52d79ac8aa8556ac161de20ed1266376fc9589421efd1e12c3e8
Instruction ID: 9eece3b8ce7a95ea6ecb53f0b37b23c6ac9ce84f3b4a74f9026e79692fb54b94
Opcode Fuzzy Hash: f3650962084d52d79ac8aa8556ac161de20ed1266376fc9589421efd1e12c3e8
Instruction Fuzzy Hash: CD02037160C3009BD7189F25C8916AFBBF2EFD5314F08892DE4D58B382E7399946C78A

Function 0043C410 Relevance: 4.1, Strings: 3, Instructions: 349COMMON

Download Yara Rule

Strings

(?l, xrefs: 0043C43F, 0043C596, 0043C60F, 0043C764
NP,?, xrefs: 0043C620
mij, xrefs: 0043C6A1

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l$NP,?$mij
API String ID: 0-3702779858
Opcode ID: cc5b4e011164df61d270ecc2c51f43ecfc062a7bc14e5e5ccdd31484d5020c28
Instruction ID: d401854fd2cc12c548c1ecfb90c4d04a7bab5840ee8d20629697b9478a788be7
Opcode Fuzzy Hash: cc5b4e011164df61d270ecc2c51f43ecfc062a7bc14e5e5ccdd31484d5020c28
Instruction Fuzzy Hash: BAA159756043109BD314DF25C8C162BB7A1EBC9728F24662EE9A5373D1D338EC018BDA

Function 00419710 Relevance: 4.0, Strings: 3, Instructions: 239COMMON

Download Yara Rule

Strings

Nw, xrefs: 004197EE
qp, xrefs: 004197F6
4, xrefs: 004197FE

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: 4$Nw$qp
API String ID: 0-4265586298
Opcode ID: 09736f53e40f161c978499db664805b985a504afe7f2715ac1ab9c7116b395ac
Instruction ID: 1c14353b01c87222b99498af661210a9029df4456b24b55d3972913cfd48c548
Opcode Fuzzy Hash: 09736f53e40f161c978499db664805b985a504afe7f2715ac1ab9c7116b395ac
Instruction Fuzzy Hash: 0A61E5719183518BC728DF29C8612BBB7E1EFC6314F094A6EE9D69B391D7388C05C786

Function 00419470 Relevance: 4.0, Strings: 3, Instructions: 230COMMON

Download Yara Rule

Strings

0, xrefs: 004194C2
~, xrefs: 004194F0
}, xrefs: 004194EB

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: 0$}$~
API String ID: 0-1378824556
Opcode ID: 884f6f9cf58a5a59d449aea1ec521a8ac50cc9cc68e7f295d775d02287a41394
Instruction ID: cc2bc466ecf6dadc7518a70f2b95efd366e8ae182a12733c5a40e6e465e138fe
Opcode Fuzzy Hash: 884f6f9cf58a5a59d449aea1ec521a8ac50cc9cc68e7f295d775d02287a41394
Instruction Fuzzy Hash: A7711832F0DA944BCB19897C4C212EA7A934BD3230F2DC3BED9B5973E5D4684D468399

Function 0042E5C2 Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

|lx1, xrefs: 0042E71D
)2^, xrefs: 0042E6C0
khvr, xrefs: 0042E716

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: )2^$khvr$|lx1
API String ID: 0-2191243274
Opcode ID: 4ccf6364555e8cdb5bfd8096454ae9d86d60a5367683d88ebbcbe3196d12286d
Instruction ID: 4de4a3a3beb6c19d42a4d3ade4e4e91008c027f5d3f459ded0861b50ff37b2bd
Opcode Fuzzy Hash: 4ccf6364555e8cdb5bfd8096454ae9d86d60a5367683d88ebbcbe3196d12286d
Instruction Fuzzy Hash: 27412974605691CBD7158F3AD490772BBA2AF9B304F5C85ADC4C78B396C6389846CB18

Function 0041E250 Relevance: 3.2, Strings: 2, Instructions: 677COMMON

Download Yara Rule

Strings

eA, xrefs: 0041EAFB
)A, xrefs: 0041EB71

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: )A$eA
API String ID: 0-3047952920
Opcode ID: 1aff6a1ddbd8946615309b4813eb2c647a67da029f02dffdb8a6fe643e521773
Instruction ID: a0969c83d05d4ee8c97119b57e028d19e1de82d2bfa65bbec59b05e925b9ead1
Opcode Fuzzy Hash: 1aff6a1ddbd8946615309b4813eb2c647a67da029f02dffdb8a6fe643e521773
Instruction Fuzzy Hash: EE6270B0609B818ED335CF3C8815797BFD5AB5A324F148A5EE0FA873D2C77561028B66

Function 0040CB44 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CB56
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CB72

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 8656cd1a9d74df869ad8f22be8c3fd88ccb0ea15f397b936d6b69d150d3e7ac9
Instruction ID: ff61b9231b5af6c48cb1d82934a630ea8aeeaa7d7eb1477661cb3efef4af383c
Opcode Fuzzy Hash: 8656cd1a9d74df869ad8f22be8c3fd88ccb0ea15f397b936d6b69d150d3e7ac9
Instruction Fuzzy Hash: 72E0BD383C83007BF6398B08AC97F247221A743F22F301214B3623E2E58AE07140451D

Function 0041F710 Relevance: 3.0, Strings: 2, Instructions: 527COMMON

Download Yara Rule

Strings

LMB, xrefs: 0041F7EF
pv, xrefs: 0041F797

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: LMB$pv
API String ID: 0-122907696
Opcode ID: 3fc255382061fbe06f9c3bda0470005eaca39f0d2e89b5b2a02a42f94d0d23c9
Instruction ID: 3eeefadaa77a5fd53610c3ddf5e6e08206d1469657b97126345bc7f1514b4473
Opcode Fuzzy Hash: 3fc255382061fbe06f9c3bda0470005eaca39f0d2e89b5b2a02a42f94d0d23c9
Instruction Fuzzy Hash: 17E134B15183008BD3249F29C8623ABB7F1EFD2314F19892DD5C68B3A5E7799846C786

Function 0041B200 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

45, xrefs: 0041B562
uw, xrefs: 0041B2A7

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: 45$uw
API String ID: 0-851133776
Opcode ID: e2adc86de019d6b1d867657f804c1c3be0e2dc0093408f59bde583ec9563b01e
Instruction ID: e49b2e20cfe9ba5ce7cb5790c572c6cd382ddd2734a676778ebff5933d168dd8
Opcode Fuzzy Hash: e2adc86de019d6b1d867657f804c1c3be0e2dc0093408f59bde583ec9563b01e
Instruction Fuzzy Hash: A6C121745083048BC718CF28C8926ABB3F1EFC5314F19C96EE8968B391E778D945C796

Function 00427A50 Relevance: 2.9, Strings: 2, Instructions: 403COMMON

Download Yara Rule

Strings

(?l, xrefs: 00427AAD, 00427BC3
klm", xrefs: 00427B31

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: InitializeThunk
String ID: (?l$klm"
API String ID: 2994545307-4063503260
Opcode ID: 5bfaa992ad3f3c814d8c7c16f4c556f7922c4d7dbf04c43b2bfbd0464d4bc996
Instruction ID: 8789bd8e5de170319836c8e6b4e836532e50f116dbbdcba0dddf1708612731d7
Opcode Fuzzy Hash: 5bfaa992ad3f3c814d8c7c16f4c556f7922c4d7dbf04c43b2bfbd0464d4bc996
Instruction Fuzzy Hash: 8EB15A7270C3618BE7188F39E84167BB791EF95314F99862ED48597381D378EC0683DA

Function 004095A0 Relevance: 2.9, Strings: 2, Instructions: 375COMMON

Download Yara Rule

Strings

JO}, xrefs: 00409780
no, xrefs: 004098B8

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: JO}$no
API String ID: 0-1394444436
Opcode ID: cfcca626353e519b8bf4413727c819b726c7d8eb5d8651c3be30f97a30ab6ed4
Instruction ID: a84f769f8163236c19afa71ab8ebfca9a7e40634951dcb5e8a3fb7dd6940477d
Opcode Fuzzy Hash: cfcca626353e519b8bf4413727c819b726c7d8eb5d8651c3be30f97a30ab6ed4
Instruction Fuzzy Hash: 5AC1F3B160C3408BD718DF35D8916AFBBE2EBD2304F144A2DE5D29B392DA38C509CB56

Function 004042D0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 0040434B
IEND, xrefs: 004046C1

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 45c20cd5fcaceaf54d92d3c3556584b8519c4c9188ce0ab5b8ab92abbfbd3db1
Instruction ID: b5c58118511f7ab27c9ce5a77da79783a4285a76a4993dc0d68ffacd4de415e2
Opcode Fuzzy Hash: 45c20cd5fcaceaf54d92d3c3556584b8519c4c9188ce0ab5b8ab92abbfbd3db1
Instruction Fuzzy Hash: 2BD1C2B1A083449FD710CF14D84175BBBE4ABD5308F14492EFA98AB3C2D779E904CB96

Function 004273A0 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

(?l, xrefs: 00427414, 004275A4
@uB, xrefs: 004275E0

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l$@uB
API String ID: 0-1568710423
Opcode ID: 9cc1dab727b328ddafe86f864bb37da5b07c0d11a10a92b949902cdf34f1a02c
Instruction ID: 3f551a4cb18cdb69ea81a70624d177d743b65059aaf82db93a0913f8d0b3051b
Opcode Fuzzy Hash: 9cc1dab727b328ddafe86f864bb37da5b07c0d11a10a92b949902cdf34f1a02c
Instruction Fuzzy Hash: BBA10FB560C300CFD714DF29E84162BB7E5FB86314F98482EF585A3251EB78E902CB5A

Function 0041C370 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

}, xrefs: 0041C415
~, xrefs: 0041C41A

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: }$~
API String ID: 0-3846021004
Opcode ID: 574856a951496172c10f24d6272443698a4463c6339c9a7123374a18d19c9391
Instruction ID: a6f5a58453f41cefe64683c3ca1862db3038e1f21351879acc05657e814d8347
Opcode Fuzzy Hash: 574856a951496172c10f24d6272443698a4463c6339c9a7123374a18d19c9391
Instruction Fuzzy Hash: 0591153674EA914BC719893C4C513EAAF934BD7230F2DC76EE8F58B3D2D52888468356

Function 004148B0 Relevance: 2.8, Strings: 2, Instructions: 263COMMON

Download Yara Rule

Strings

(?l, xrefs: 00414BD9
gfff, xrefs: 00414AD7

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l$gfff
API String ID: 0-657474992
Opcode ID: af6115cd4622b5515d5ac619fdeb418161c0fe52ebd3cd43a49f7cdfb659676d
Instruction ID: 6d2678371d46dde300f0c9aca5f5b31911bdfc87d34d190af218ff5233393cf1
Opcode Fuzzy Hash: af6115cd4622b5515d5ac619fdeb418161c0fe52ebd3cd43a49f7cdfb659676d
Instruction Fuzzy Hash: 8E91347A610A018BE318CF39C8917A677E3FBC4328F19862ED556CB7D5DB78E8068744

Function 00433810 Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

}, xrefs: 004338B1
~, xrefs: 004338B6

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: }$~
API String ID: 0-3846021004
Opcode ID: 9c651afb8884db2b8ed531508840d92c93680f60ef013fdbb885d5c65550ea95
Instruction ID: 10eb8eb1221c810e9ff21c9e5650af260ae2c54e12271e75aa51dbd00d3cd542
Opcode Fuzzy Hash: 9c651afb8884db2b8ed531508840d92c93680f60ef013fdbb885d5c65550ea95
Instruction Fuzzy Hash: A9714B2660D6D14BD7289E3C4C113AABED20FD7231F2CD7AEE4F5873E2D56989028346

Function 00436140 Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

~, xrefs: 004361CE
}, xrefs: 004361C9

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: }$~
API String ID: 0-3846021004
Opcode ID: b89aeb8f7c5bc573797a562e5b9ad2442b0305510d530974ee3cfcaf6155a88d
Instruction ID: 2b4f25648cf012893ecccc6bc10ba7d797c7576365e8f899a19edef63a8e56f2
Opcode Fuzzy Hash: b89aeb8f7c5bc573797a562e5b9ad2442b0305510d530974ee3cfcaf6155a88d
Instruction Fuzzy Hash: 36717C2270DA814BD728493C8C513AABE830BDB330F2ED77EE5F18B3D2D5A988059345

Function 0042E7EB Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

M"O, xrefs: 0042E87A
fI.K, xrefs: 0042E873

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: M"O$fI.K
API String ID: 0-3473069917
Opcode ID: f1ae67461792b5d93ca60e836e6681a5081b8b37e267747ad0c9e70117a00995
Instruction ID: f6fd3104235a574d950e3c7a6e1b37e2e28bb9fd8ddddb0b7385076b5cae7f54
Opcode Fuzzy Hash: f1ae67461792b5d93ca60e836e6681a5081b8b37e267747ad0c9e70117a00995
Instruction Fuzzy Hash: 9531E4752047418BE705CF2AD850723FBE2EFA6310F69959DC0C59F392CA79A843CB88

Function 00410446 Relevance: 2.4, APIs: 1, Instructions: 941COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e7d69098086101bbac799b7b35378752f7b542f599ed17af3bf933a101616b
Instruction ID: fd6d0c28c0521a4b2d3ba0d2fcd6f101c3ce844309344171b6c888af52a4c48d
Opcode Fuzzy Hash: 29e7d69098086101bbac799b7b35378752f7b542f599ed17af3bf933a101616b
Instruction Fuzzy Hash: F5821975A04B408FD714DF38C985396BBE2AF85324F198A3DD4EB877D2E678A445CB02

Function 00411078 Relevance: 2.1, APIs: 1, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fa9a4ef5fc09b88c951e717f6d84c64096d515bfc5bfa11bc015a710778202
Instruction ID: ffeaf69f11ebdaa19ebbeb2c849f1362720ea4a43f49444d7a0805305d646c0f
Opcode Fuzzy Hash: 03fa9a4ef5fc09b88c951e717f6d84c64096d515bfc5bfa11bc015a710778202
Instruction Fuzzy Hash: C3220875604B408FC714DF38C48539ABBE2AF85314F15892ED9EB873A2E639E549CB43

Function 00441910 Relevance: 1.9, Strings: 1, Instructions: 646COMMON

Download Yara Rule

Strings

r!D, xrefs: 0044215B

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: r!D
API String ID: 0-1427830086
Opcode ID: 6bb2c6c9e11e1a31cb1c9e5027006488863a595bc0571fe87721c3bf0b491302
Instruction ID: 3cbef11c9a3ce934bd2371589f199791f426b11a6ad4740408174b3a4e74d17a
Opcode Fuzzy Hash: 6bb2c6c9e11e1a31cb1c9e5027006488863a595bc0571fe87721c3bf0b491302
Instruction Fuzzy Hash: 6B121039718211CFD708CF38D89062AB3E2FB8A315F1A897ED58687365D734D891CB85

Function 0043CAA7 Relevance: 1.9, Strings: 1, Instructions: 620COMMON

Download Yara Rule

Strings

_\, xrefs: 0043CFC2

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: _\
API String ID: 0-505892539
Opcode ID: e151fd77c1b513c9d1fc853a18fbbb0d5f395fcc726f05ed7b31c23f364176dd
Instruction ID: 387b8c9453b82b61d9c904b796da75a3b5f1fa39b900c3c8147bbc4438cb0180
Opcode Fuzzy Hash: e151fd77c1b513c9d1fc853a18fbbb0d5f395fcc726f05ed7b31c23f364176dd
Instruction Fuzzy Hash: 4C12E03AA18352CBC7149F38D84226BB7E2EF89310F0AC939D48597290E77CDA65C756

Function 00415975 Relevance: 1.8, Strings: 1, Instructions: 524COMMON

Download Yara Rule

Strings

(?l, xrefs: 00417742

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l
API String ID: 0-3586509061
Opcode ID: 243b778258389f953b07a409ac07394f124fe769467a8f8560444a276d6c679a
Instruction ID: 74a6effee417382a1a5ee657c987477b534f3e8da231505bdffe7cb23820d89a
Opcode Fuzzy Hash: 243b778258389f953b07a409ac07394f124fe769467a8f8560444a276d6c679a
Instruction Fuzzy Hash: 93022175608601CFD7248F24C8816A773F1FF89318B18857EE96A8B7A1E739F842CB55

Function 00441B40 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

r!D, xrefs: 0044215B

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: r!D
API String ID: 0-1427830086
Opcode ID: dd782d22cddc781079d978155dd15ba88b5c707dba8ff791ed422af05367eedc
Instruction ID: 449aedb15a5c66098da17fa39f105c8c994b9e20c3147fb75fcf3787673fd1a6
Opcode Fuzzy Hash: dd782d22cddc781079d978155dd15ba88b5c707dba8ff791ed422af05367eedc
Instruction Fuzzy Hash: 19D1DD3A719251CFD708CF38D89062AB3E2FB8A315F1A897DD58A87361D738D851CB85

Function 0043974A Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

(?l, xrefs: 00439C0E

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l
API String ID: 0-3586509061
Opcode ID: c30b6371291bc3bf07fa7b9cfe975840fd6fffdaf6a745e71405aa228f423609
Instruction ID: fc0b641811b5f02af9a852e1ed663fda96f7ffb5148a3fcfb0402d94655daeb9
Opcode Fuzzy Hash: c30b6371291bc3bf07fa7b9cfe975840fd6fffdaf6a745e71405aa228f423609
Instruction Fuzzy Hash: C7125821508BD18ED326CB3C8848B497F916B67224F0E83D9D4F55F3F3D6A98906C7A6

Function 00415590 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

(?l, xrefs: 004157A0, 00415858, 004158B4, 004158EE

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l
API String ID: 0-3586509061
Opcode ID: 3505ef9298af5163246ea4cbe5c3bfb3e9d249b807cb6a73194e5513d529a160
Instruction ID: ecd98b3e30f16e247b6e37ac7b6d2412abfb1e49c209f28e4dabdc3486cf8122
Opcode Fuzzy Hash: 3505ef9298af5163246ea4cbe5c3bfb3e9d249b807cb6a73194e5513d529a160
Instruction Fuzzy Hash: BCA11934204A01CFD7158F29D850AF6B7A2FF87310F5945AAD1968B3E2D738A852CB99

Function 0041A574 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

KtBD, xrefs: 0041A8C5

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: KtBD
API String ID: 0-2371315874
Opcode ID: 690f2ded89c9dec281683ef55609c2fe26ec7d37e203923dac15486e6292af9f
Instruction ID: ac5744b8ab6e67623932c2e274ea81386a75d073d127ce708834299026137f5e
Opcode Fuzzy Hash: 690f2ded89c9dec281683ef55609c2fe26ec7d37e203923dac15486e6292af9f
Instruction Fuzzy Hash: 16A167755583504FD718CF38C8906AFBBE2ABD6304F088A6DF1D297385DB798906CB82

Function 00726EDD Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

,e, xrefs: 007270D8

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: ,e
API String ID: 0-1730656290
Opcode ID: 529da75ddd01b8d6506c614f114a9dd86bc8c0a11b4438504053a12ae478f5f7
Instruction ID: cec6d1f5e6d132cdb8bfc05bd78ca3921c03a4fe23889161e3ea491f7c84b1f9
Opcode Fuzzy Hash: 529da75ddd01b8d6506c614f114a9dd86bc8c0a11b4438504053a12ae478f5f7
Instruction Fuzzy Hash: 01B1376184E3D59FD7178B30AE6A9527FB56E23210B0E86CFD4C58F4A3E3588909C763

Function 00442460 Relevance: 1.6, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

(?l, xrefs: 0044253F, 0044266A

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: InitializeThunk
String ID: (?l
API String ID: 2994545307-3586509061
Opcode ID: 2d27626873ed00375b983628a6eaaff510ff410adcb89483adaff52c15ce1152
Instruction ID: 43641b0080f28784645b742a7ad2c42294f4f9943e41220fa131c894d675aac7
Opcode Fuzzy Hash: 2d27626873ed00375b983628a6eaaff510ff410adcb89483adaff52c15ce1152
Instruction Fuzzy Hash: 4AA177366083028BD314DF28C99056BB7E2EFD5720F59863EE89597391DB78DC01CB96

Function 0043912C Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

(?l, xrefs: 00439451

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l
API String ID: 0-3586509061
Opcode ID: 35302c2ff4b0673f232da35a14d444a4df5bbaab1c1a1d77e22d1bf0d0fce900
Instruction ID: 8782ec3ccabc4381b02692f60cc6c0642000128dc26c553bc04b6b6b65d02717
Opcode Fuzzy Hash: 35302c2ff4b0673f232da35a14d444a4df5bbaab1c1a1d77e22d1bf0d0fce900
Instruction Fuzzy Hash: D2D19621508BC18ED322CB3C884874ABFE16B6B324F1D879DD0E55B7D2C7799906C766

Function 00442A90 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

(?l, xrefs: 00442AA8, 00442BC4

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l
API String ID: 0-3586509061
Opcode ID: 8dc2943df722fa85380783b4a88eeb99f4f35d940b6f73deb47fe103ad117c2c
Instruction ID: fc263f480c2681dd635b64224822fc1918e68b91a5de72f5034c3531254662bf
Opcode Fuzzy Hash: 8dc2943df722fa85380783b4a88eeb99f4f35d940b6f73deb47fe103ad117c2c
Instruction Fuzzy Hash: E8915672A083158FD7289F18D9C066BB3A2FF88310F99863DF9555B3A0D7B4AC05C785

Function 004082A0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

%=>?, xrefs: 004083E0

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: %=>?
API String ID: 0-1840824467
Opcode ID: e07febe003d47278271e69a6a0aefd5b767d6bdb8c9269540a4227fbb6a47e9b
Instruction ID: 2abc8e8e60c77c2f0b16dca8ff0b337e7e89a8bc06769c8938415a8ee5640db8
Opcode Fuzzy Hash: e07febe003d47278271e69a6a0aefd5b767d6bdb8c9269540a4227fbb6a47e9b
Instruction Fuzzy Hash: 3291F832F046664BC7108E2DCA8025BB7E1ABC5754F698A3EE8D4E73D5EA3CCC454789

Function 00726EC8 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

,e, xrefs: 007270D8

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: ,e
API String ID: 0-1730656290
Opcode ID: dbab2be9438fffa97a23affea86d3f0b56c35eade832938bd4373276206f301a
Instruction ID: a0251ef4427fe7ac086a21406deff4032ec7029a110f62c20a5c6315eb67083a
Opcode Fuzzy Hash: dbab2be9438fffa97a23affea86d3f0b56c35eade832938bd4373276206f301a
Instruction Fuzzy Hash: 53B1386180E3D59FD7178B309D6A952BFB56E2321070E86CFD4C58F4A3E3688A09C763

Function 0042D893 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

FL~O, xrefs: 0042D9D3

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: FL~O
API String ID: 0-2976162848
Opcode ID: c18fcbdbc81227dcc25f435c5cd6f5a9ef8d3b7ca9870dc399652649a3942d38
Instruction ID: 7183c90d1eb5b33d84056431fd94899f29f45a832c645f55df25c9b471943a3a
Opcode Fuzzy Hash: c18fcbdbc81227dcc25f435c5cd6f5a9ef8d3b7ca9870dc399652649a3942d38
Instruction Fuzzy Hash: 3A7114B16047818FD725CF29C480763FBE2BFAA300F28858ED4D68B356C738A846CB55

Function 004427E0 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

(?l, xrefs: 004427F7, 004428B6

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l
API String ID: 0-3586509061
Opcode ID: f62cdbf99fd1994631e9b37d0c72a225121a179c97431be58f720d43f001f6f4
Instruction ID: 16ab1bb8e5813cbead69206b7097d26a452845dfa9c2a9323bffdb95a06fe9c3
Opcode Fuzzy Hash: f62cdbf99fd1994631e9b37d0c72a225121a179c97431be58f720d43f001f6f4
Instruction Fuzzy Hash: 3B81C0342042028BE724DF19C980A2BB3F1FF99314F55866DF9949B3A1EB75DC52CB4A

Function 0042F195 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

h~BL, xrefs: 0042F30E

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: h~BL
API String ID: 0-1016882582
Opcode ID: 2353f16c686568adc0586de7d1e93e01bd2d2aed02e5eac9b0619ca2789dfc7a
Instruction ID: d310ecfdec240870e155c2d86c43ce513ec1b225dc1c5596defbf7cef2baff88
Opcode Fuzzy Hash: 2353f16c686568adc0586de7d1e93e01bd2d2aed02e5eac9b0619ca2789dfc7a
Instruction Fuzzy Hash: 90517D35355742CBD714CA28C4D0362BBA2DFA7310B9883BEC5958B7C6C32D980AD765

Function 0042E002 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

79.', xrefs: 0042E015

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: 79.'
API String ID: 0-3373235548
Opcode ID: 3052bdd5b9f525bfd9188c849dd4df91fdd9a95299ae7d6644acfbbe7ea22ffb
Instruction ID: 405c93bd9d9a1b956de89b764b78e8638e9be0a0d1f875f63fdafa76fe9ef724
Opcode Fuzzy Hash: 3052bdd5b9f525bfd9188c849dd4df91fdd9a95299ae7d6644acfbbe7ea22ffb
Instruction Fuzzy Hash: 4841E7745043A08BE7274B2A98A0733BFE1BF13305F68598DD0D21B792C26AA407CB55

Function 004270D0 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

;?, xrefs: 004271F2

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: ;?
API String ID: 0-2547853717
Opcode ID: 282b5fac6d48e18fe4efb14707a773883bdbab0e0b8b2caa2082082d184848c1
Instruction ID: 345a1d19f6ef4a761144819c2a4b0586d162fe2b90bf75277ce9f538902e393a
Opcode Fuzzy Hash: 282b5fac6d48e18fe4efb14707a773883bdbab0e0b8b2caa2082082d184848c1
Instruction Fuzzy Hash: DD5156B960D3808FE3288F65888175FBBE1BBC5714F15892DE2D99B790DB749805CF82

Function 0042D420 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

(?l, xrefs: 0042D4E2

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: InitializeThunk
String ID: (?l
API String ID: 2994545307-3586509061
Opcode ID: 20eb69036d69807debfbd8ef52ec59536dd4d5321856e452b3146c9f2ae76fca
Instruction ID: 8f228e5e5a1e4a0df9a7232996a6af5781287942daa8e57b9f502877da121123
Opcode Fuzzy Hash: 20eb69036d69807debfbd8ef52ec59536dd4d5321856e452b3146c9f2ae76fca
Instruction Fuzzy Hash: 4F312735B406428BE7298F29D850332FBA3EF96324B2C825DD1D1577E6D778EC42C644

Function 0043EB00 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

(?l, xrefs: 0043EB67

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: (?l
API String ID: 0-3586509061
Opcode ID: b939ac0ae8a7e6c01d205c8f16defd51028fc6a583e896a4bdaa9decfc305646
Instruction ID: f4efb102148d56746155fcf0a69e0a073b2616fb0f7bc1048f615d5ae5911f58
Opcode Fuzzy Hash: b939ac0ae8a7e6c01d205c8f16defd51028fc6a583e896a4bdaa9decfc305646
Instruction Fuzzy Hash: 7C2148719092108BE318CF1AC85576BFBA1EBC9328F19A52EE895573C0D37DDC418795

Function 0040BA29 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

WT, xrefs: 0040BA88

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: WT
API String ID: 0-3626323073
Opcode ID: 42fb4272aa81afcd5008efb270658d956bd8269d8dd2d15da7b95f1349e0bd98
Instruction ID: 7fe90350ce32cbd7e95176aa356467c42c1670bfe7b117e2a0000bb4fcdc20cd
Opcode Fuzzy Hash: 42fb4272aa81afcd5008efb270658d956bd8269d8dd2d15da7b95f1349e0bd98
Instruction Fuzzy Hash: 27213A766083408FC7288F24C89066BF7E2EFC6318F19891DD69717685DB75A806CF8A

Function 00426A00 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

"jB, xrefs: 00426A1C

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID: "jB
API String ID: 0-3276335117
Opcode ID: 1f66a87aa27601af76395a073f8366dbe3f1549dff5cf4ca866cc54e43ced975
Instruction ID: 5e1d8c0b1515ecfa31faa1c568337e693052fbc6b42adfdfb911d364570a270e
Opcode Fuzzy Hash: 1f66a87aa27601af76395a073f8366dbe3f1549dff5cf4ca866cc54e43ced975
Instruction Fuzzy Hash: D3C08CB6C080028FC5002F00AC0201AB9316B0320CF082039E40931133FA32F625950F

Function 00433AD0 Relevance: .8, Instructions: 767COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abe2e5388ca49a3aee1385ff5d9ec2e1c49ce952211d54b5c5dcc7658123e42
Instruction ID: 19e77cbeac70fe1b032dade778546ae4f90eb2d797e4cd6945b2f28ddd58a70d
Opcode Fuzzy Hash: 4abe2e5388ca49a3aee1385ff5d9ec2e1c49ce952211d54b5c5dcc7658123e42
Instruction Fuzzy Hash: 527237B1614B819FD365CF39C805793BFE9AB9A310F18892ED0EAC3752C778A901CB55

Function 00406620 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a67c9af5ae7ea0b30bc1f4e41c7288df60f57a24e3fcc9aa3cae5cea7e50b4a
Instruction ID: 5a005799855934c09976bcccaf90a1a408f8946ac336e46e74ae0774756d1960
Opcode Fuzzy Hash: 2a67c9af5ae7ea0b30bc1f4e41c7288df60f57a24e3fcc9aa3cae5cea7e50b4a
Instruction Fuzzy Hash: C752E3B0A08B848FE731DB24C4843A7BBE1AB51314F15893FD5E7167C2C37DA9958B1A

Function 00407400 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74db7be54b89547c4583fa9d5f55d507e7e3092f5ffbe10338b1bf046ed84df7
Instruction ID: 4df813ee5f95e841ab821c98b8b5526f3f5ae33236fdb9f70e9fd3558806e740
Opcode Fuzzy Hash: 74db7be54b89547c4583fa9d5f55d507e7e3092f5ffbe10338b1bf046ed84df7
Instruction Fuzzy Hash: FA22A371A087119BC725DE18D9806ABB3E1BFC4319F19893ED9C6A7385D738B811CB87

Function 00403920 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a56a2174a21f7b1ce4be0e61a38001c8ad2b58519eef1c0bb9e511609eb280
Instruction ID: 5a210c8ec4b2c4720dd351bb4b74d57db097aa9d50479d616581e6e8ad521ed5
Opcode Fuzzy Hash: f4a56a2174a21f7b1ce4be0e61a38001c8ad2b58519eef1c0bb9e511609eb280
Instruction Fuzzy Hash: 9B322570A14B118FC338CF29C680526BBF5BF45711B604A2ED697A7B90D73AF945CB18

Function 0040E4B0 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab68c18d07f8cfbe79beb8cf8c5314606cd53cc5cf4a46702e367c08d1e921b
Instruction ID: fda9bdca6ed6b08ad27df6051f3271e57a80b1610e1044e1bfb88bf3d058d509
Opcode Fuzzy Hash: aab68c18d07f8cfbe79beb8cf8c5314606cd53cc5cf4a46702e367c08d1e921b
Instruction Fuzzy Hash: 6D02F1F1905B00AFC3A1CF3AC942797BEEDEB4A360F14491EF5AEC3251D63565058BA2

Function 004058E0 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d279da61bf8c7c61ead4644797c3dfc60ec0ad82dc91f45a0d60c0cc466395d2
Instruction ID: 267e3f5fbdc053a50b3af936eb89667919aac18c26632b5f4709399f16904174
Opcode Fuzzy Hash: d279da61bf8c7c61ead4644797c3dfc60ec0ad82dc91f45a0d60c0cc466395d2
Instruction Fuzzy Hash: A9E19E712087418FD724CF29C980A6BFBE2EFD9300F48882EE4C597791D679E944CB96

Function 004288BA Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50aef1aa3814c9c4b705c66121bcb57a98fe33e9505a7403f082166adc6315bb
Instruction ID: 4fc516d3c2b442602e552858b68be7734632adc4e96252525e150f64ed3c5c82
Opcode Fuzzy Hash: 50aef1aa3814c9c4b705c66121bcb57a98fe33e9505a7403f082166adc6315bb
Instruction Fuzzy Hash: A3C12DB6E016258FCB18CF68D89166EB7F1FF89310F59456DD816AB391DB34AC01CB90

Function 00406190 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c374d079d6379548898873a5539b69ba4134223e06127d70cd5f86227f86f8
Instruction ID: c5c8686286d32ea90a0caf62478a6a21538b7c926043de6aa08133d4809004d4
Opcode Fuzzy Hash: 43c374d079d6379548898873a5539b69ba4134223e06127d70cd5f86227f86f8
Instruction Fuzzy Hash: CCC16CB29087418FC360CF28DC86BABB7E1BF85318F09493DD1DAD6242E778A155CB46

Function 0041BAD0 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505f79559dd9e8d36d9993cfddeb3062a13971fadec4c9e1b9f375b83bdbbec8
Instruction ID: 6fae1e02346183f5007d85acf3c694dfb59a35e1c4d43d8da9e29ea11ab639b9
Opcode Fuzzy Hash: 505f79559dd9e8d36d9993cfddeb3062a13971fadec4c9e1b9f375b83bdbbec8
Instruction Fuzzy Hash: 1C9128326486614FC7158E28DC9139BBB92EB95224F18823EE8A9CB3C1D739D84787D1

Function 00432188 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374b69e95b0b23761bf0d60bf7716e4a6e6a3a5107f6346765665cdfc9adefcb
Instruction ID: 68ac7d0cae4bbc87c51ad9647bfb649fc1625df3c3599321d0ae7e103ae8f3d1
Opcode Fuzzy Hash: 374b69e95b0b23761bf0d60bf7716e4a6e6a3a5107f6346765665cdfc9adefcb
Instruction Fuzzy Hash: 6BC1C272608B808FD3259B38C8543A7BFD25F96314F1DCA6DD4EE87782DA78A405CB16

Function 004311E6 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff58d46433a866fad77eb6440bf208503f5f891f1e575d2752332d294a139a1
Instruction ID: 39227b27f31a8280b810b9a1614f853086edde8d10956dd396cef080c5ac7863
Opcode Fuzzy Hash: 7ff58d46433a866fad77eb6440bf208503f5f891f1e575d2752332d294a139a1
Instruction Fuzzy Hash: 89B11671608B808BD3298B38C8913A7BFE25B96314F08CA7DD5EB87783D538A409C756

Function 00431A88 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1596283b2e12c8fdeddeddfd569bb53ef3edefb17a41e2be70731819b26db4
Instruction ID: 50fbcd0d9531890a1d81aeb0e18adabed9ab4dec76f6eb72c81472d86dbda2ce
Opcode Fuzzy Hash: af1596283b2e12c8fdeddeddfd569bb53ef3edefb17a41e2be70731819b26db4
Instruction Fuzzy Hash: ECB13661608F808BD3259B3CC8913A7BFE25B96314F08CA6DD4EB87783D678A409C756

Function 0041C7D0 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f302995b84685d0760f9c7472022f85ec433ed9ee916ef690905c16a98538308
Instruction ID: 4225521eafc4b1b2db9b6f37bbff37b7f7ab93ae656f18983b6813e8e372288a
Opcode Fuzzy Hash: f302995b84685d0760f9c7472022f85ec433ed9ee916ef690905c16a98538308
Instruction Fuzzy Hash: 77812572B599804BC719CE7C8CD13AABE535FD7330B2D837AE5B28B3D1C66948428365

Function 004421B0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e639b92aa0330a83a9c8eabd28dc9be480c53553e2f66d9bbb52e8a64dcdd39
Instruction ID: 436c05d9389ded176de50a0afa70803b8f447a8a6026d667370c63e68a94d112
Opcode Fuzzy Hash: 8e639b92aa0330a83a9c8eabd28dc9be480c53553e2f66d9bbb52e8a64dcdd39
Instruction Fuzzy Hash: 0241F173A583104FE314DEB8CD8031BBBD2ABD5314F1A853EE994D7341D2B88A058792

Function 00727522 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486aabafa44c72689987a9c6ed885e415bf9aca5ca5bb1cc40e1346d4849c1e9
Instruction ID: b5eabe34364b9fb3060d09033a265f1de9d01aef81332aad4699c5339e4f042d
Opcode Fuzzy Hash: 486aabafa44c72689987a9c6ed885e415bf9aca5ca5bb1cc40e1346d4849c1e9
Instruction Fuzzy Hash: 2A51476294E3E15FC72B8B705969852BFB56E2321071E86CFD4C18F4A3E36C8909D763

Function 00402940 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ca20dc4f76e8c3e8d02b75f9c402b180f2256a0ed4e9f610f16215ed658aa6
Instruction ID: 54b1615ece0800edf578a66f6fa2aba7240dcbf02494f9453b14f9bc813aead1
Opcode Fuzzy Hash: 94ca20dc4f76e8c3e8d02b75f9c402b180f2256a0ed4e9f610f16215ed658aa6
Instruction Fuzzy Hash: 39411732B0C2654BC7149E2D8D5427ABBD29FC5218F0DC57EA8C9DB7C7E57898009785

Function 004412B1 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa374590dffa9170f901e677aeca6d256a19dc4d7adeacb217e02be019ebc1f
Instruction ID: f3f2334c433ac8a82496a3e15c8bea39f0302fd6b20164b5654d3aa52824659f
Opcode Fuzzy Hash: 4fa374590dffa9170f901e677aeca6d256a19dc4d7adeacb217e02be019ebc1f
Instruction Fuzzy Hash: B7412633B087614BE318CE7C899116BFBD6ABCA614F1A867EC889D7361D674DC4087C9

Function 0072A7C6 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14487b87d247b68ddb90241f5c12ca08c91da15870e62b1e6cc9b1163eb81932
Instruction ID: 49121540eff277def149a38e2425f4a9e2d36ba6f2f71711416ba6c6e52126e9
Opcode Fuzzy Hash: 14487b87d247b68ddb90241f5c12ca08c91da15870e62b1e6cc9b1163eb81932
Instruction Fuzzy Hash: 7E41656A40E7D68FD3134E3CA4926C1BFB1EF9622478D48EEC8C18E913D2196597D782

Function 00429871 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09596351fb64b87a98e6c970a9ecc13ddbb40e5683ff1ccac569d429f55284e1
Instruction ID: 3e828dc637c6aee99513c29835b99d357d4520004c741a88f318c34ece8bb8a3
Opcode Fuzzy Hash: 09596351fb64b87a98e6c970a9ecc13ddbb40e5683ff1ccac569d429f55284e1
Instruction Fuzzy Hash: E941E071E043258BDB10DF49D8922ABB372FF66314F19411ADC84AB354E739AD01CBA9

Function 00726A9B Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b4262e309c2b7ab1aa286e8e0a8183efda8d83b07cc10373c2fb58d5741d6c
Instruction ID: 5c7611f5069ba9245147bbb795bfa546ad8c4aa12ef9a3e108ca3a4911ec8464
Opcode Fuzzy Hash: a7b4262e309c2b7ab1aa286e8e0a8183efda8d83b07cc10373c2fb58d5741d6c
Instruction Fuzzy Hash: B831A5A640E3D48FD7138B70A8696517FB0AF27204B2E84DFC4D1DF4B3E619190AE722

Function 00726A5B Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724771282baba7cf7655b940cba6eea5508d910d0458c18cb97aa4bb51d5c633
Instruction ID: a2d408d5ccdc619fffa2f36d3b04ab0e20c798dc7b9ced7e0e8f42f0766c8dfb
Opcode Fuzzy Hash: 724771282baba7cf7655b940cba6eea5508d910d0458c18cb97aa4bb51d5c633
Instruction Fuzzy Hash: FF31B5A640E3D48FD7138B70A8696517FB0AF27204B2E84DFC4D1DF4B3E619190AE762

Function 00726B5D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f50284ddcbd9f5b4f1d292b9e32b6e77dc9d1a508774d0eee5b354c9abd5d0b
Instruction ID: 86abaaa137b0827bcb1af458b8b54f8ec032b42c3ebd49bdfb4cdd179cd0dd31
Opcode Fuzzy Hash: 2f50284ddcbd9f5b4f1d292b9e32b6e77dc9d1a508774d0eee5b354c9abd5d0b
Instruction Fuzzy Hash: 5C21C7A240E3D48FD7138B30A8696517FB0AF27204B2E44DFC4D1CF4B3E629191AE722

Function 00402B20 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaf8d0e94f5c6e15ea278469f7b2b102a292380ec2eac3b30e0d01d28b7b789
Instruction ID: 83086252303ea28528da4c30559dd3180df40622f01d3ae2d5ce96dbba8d640e
Opcode Fuzzy Hash: bfaf8d0e94f5c6e15ea278469f7b2b102a292380ec2eac3b30e0d01d28b7b789
Instruction Fuzzy Hash: 0311B43AB546214BE758DE51DCF963BB366E7C621071A013EDA87673C1CE70F902D254

Function 0072A969 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
Instruction ID: 56d26e3688a4d24abcb94242e44e864b830a23b6e5577a8b340d74fb2df8cfa5
Opcode Fuzzy Hash: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
Instruction Fuzzy Hash: 3F2104651092E58FD307CF74E594A82BFA1FF8B71639E40DDC9C18F427C2A66542CB52

Function 00726B1B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc9857445ffce5b776e2a2afcfecc5091cc565ddf6e2ac9950d6d31bceb2451
Instruction ID: bdcbe9b04d98ff5ceff481e8dc6a6e5a7e18c0f8e1397d44a8db8860be5a3519
Opcode Fuzzy Hash: cbc9857445ffce5b776e2a2afcfecc5091cc565ddf6e2ac9950d6d31bceb2451
Instruction Fuzzy Hash: E021B2A240E3D48FD7138B30987A651BFB0AF27204B2E48DFC4C1DF4A3D6291919E762

Function 00438AF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 64260c404912ea7eadd8c0e068931427c058d1959da23024316477ca1ba720c8
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 83112933A052D10EC3128D3C8410565FFA30EA7234F29939EF4B49B2D2DA269D8B8359

Function 0042B430 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e7ded30f0094831d969e20c4aec502c775388c470d9f6a482129ef2dc29c33
Instruction ID: 9ac58ec8d4b3439cda35f7244ec872c65e6fe70fd35cd3954e032617cd07918a
Opcode Fuzzy Hash: f2e7ded30f0094831d969e20c4aec502c775388c470d9f6a482129ef2dc29c33
Instruction Fuzzy Hash: CD015EF1B017124BD620AE55E4C1727A3A8AB9070CF58453EE9049B343EB79FC1586DA

Function 00726B9B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dac87b2ba784ad7796824d859d1acbafdf820f0b6a2e572961bbe6bb3864428
Instruction ID: 3faf79622a8b87ec45ad2ddecc1b0bee4d513160156efd6a60fdb3e0a368c947
Opcode Fuzzy Hash: 3dac87b2ba784ad7796824d859d1acbafdf820f0b6a2e572961bbe6bb3864428
Instruction Fuzzy Hash: D001FFB240E3E58FC7235F709825252BFB0AF2730072A48DFC4C29B0A3D7291555EB62

Function 00726B5B Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2152474067.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0071E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_71e000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f958bbe8de8c1a470aec2aecd55f58289062e346ae44454e5ccc38017786415
Instruction ID: 1176c3c773da31c03fc1e062ddc0a1d43a9a40a66ac35d13300049fda002fe64
Opcode Fuzzy Hash: 6f958bbe8de8c1a470aec2aecd55f58289062e346ae44454e5ccc38017786415
Instruction Fuzzy Hash: 18F0A4B240E3E58FC7264F709825112BFB0AF2730473A48DFC4C19B462E72A2955EB62

Function 00440310 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991ea2132e0eb55e251af0bd0bd477f6bdeb013d459269053c785cdc43e1901a
Instruction ID: 776a1f7dd0c074e79f55533e911544892ec85f46c384d1e8a4e462c15b4e92e9
Opcode Fuzzy Hash: 991ea2132e0eb55e251af0bd0bd477f6bdeb013d459269053c785cdc43e1901a
Instruction Fuzzy Hash: 97D022B86481003B0248CB09CC4AE33B77CC387200F002034BE05C3350C610EC2182EE

Function 0042912D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,FF5DFD53,0000001E,00000000,00000000,0=), ref: 004291F6

Strings

0=, xrefs: 004291EA
0=, xrefs: 00429160
ER, xrefs: 00429152
P&, xrefs: 0042914B

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 0=$0=$ER$P&
API String ID: 237503144-76498936
Opcode ID: 0079ea79e2fb7e5baa3f88d56f099e6c62f6800e86d7f0632ebd355a09f482a8
Instruction ID: a2bc4232f0b587c6731111968c4b9dfd6b547f1d994af41bba96082cdda02b35
Opcode Fuzzy Hash: 0079ea79e2fb7e5baa3f88d56f099e6c62f6800e86d7f0632ebd355a09f482a8
Instruction Fuzzy Hash: 5E31A074A08B518FD7718F28D84036BBBF2FB85710F149E2DC4A69BB91D775A8428F84

Function 0040C9A6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C9AA
CoInitializeEx.OLE32(00000000,00000002), ref: 0040CADC

Strings

i., xrefs: 0040CAE2

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: Initialize
String ID: i.
API String ID: 2538663250-1725878519
Opcode ID: 872d7b5f8456bc3f6783d31e16598718fdc5c5481af570d42e5062d0accf6b6c
Instruction ID: ba51fcffb96049ba4a9d2ecb0e51bddf3b28327b6748284e76850d605b8acc93
Opcode Fuzzy Hash: 872d7b5f8456bc3f6783d31e16598718fdc5c5481af570d42e5062d0accf6b6c
Instruction Fuzzy Hash: 0F41C9B4810B40AFD370EF39D94B7127EB8AB05250F504B1DF9E6866D4E631A4198BD7

Function 0040B5D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(004089EB), ref: 0040B5D6
FreeLibrary.KERNEL32 ref: 0040B5F7

Strings

#v, xrefs: 0040B5D6, 0040B5F7

Memory Dump Source

Source File: 00000000.00000002.2188816608.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188816608.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L#U043e#U0430d#U0435r.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: 62f50812e52bb63f360f50f5696872349249e40dfa0370fcd185f2f673d9e761
Instruction ID: 2b90beec229bcabb032f80ab3f8ed21d398b4004671114d789e0d62637093dd3
Opcode Fuzzy Hash: 62f50812e52bb63f360f50f5696872349249e40dfa0370fcd185f2f673d9e761
Instruction Fuzzy Hash: F8C002394401819FDF027B64FD4D8183E79FB92746310803AE40251535DB228920AFE9

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report L#U043e#U0430d#U0435r.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_L#U043e#U0430d#U_bb8376acd516e20e7ba29a2665f67f3c7f940bd_2e73e446_e8115ced-c55f-4f6c-a2ad-05d6679b80e3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65B7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6684.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66B3.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
L#U043e#U0430d#U0435r.exe

Function 00408740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228
threadCOMMON

Function 0040AE60 Relevance: 5.5, Strings: 4, Instructions: 489
COMMON

Function 004402D0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00440A0D Relevance: 1.5, Strings: 1, Instructions: 210
COMMON

Function 004406A2 Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 45
memoryCOMMON

Function 0043E860 Relevance: 1.5, APIs: 1, Instructions: 22
memoryCOMMON

Function 0040A612 Relevance: 1.5, APIs: 1, Instructions: 12
networkCOMMON

Function 0043E840 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON