Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522637
MD5:	245f52e7267ef7042583d20b32023967
SHA1:	ba5e0ddef975bc7928c3af7d56080276216c6a32
SHA256:	5db8ed24d791ca0f05f6df8517b679a456059a09ffd10b0cca1e83d27818fd8f
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 320 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 245F52E7267EF7042583D20B32023967)

WerFault.exe (PID: 2920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 564 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3660 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6600 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 664 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1088 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2636 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 884 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1668 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["writekdmsnu.site", "underlinemdsj.site", "diskegraciw.onli", "agentyanlark.site", "possiwreeste.site", "famikyjdiag.site", "commandejorsk.site", "bellykmrebk.site", "delaylacedmn.site"], "Build id": "k99eRC--Bot6"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2424482575.000000000062E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x11b8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T14:02:12.346757+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49705	188.114.96.3	443	TCP
2024-09-30T14:02:13.611130+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49706	172.67.129.166	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T14:02:12.346757+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49705	188.114.96.3	443	TCP
2024-09-30T14:02:13.611130+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49706	172.67.129.166	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: 0.3.file.exe.21e0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["writekdmsnu.site", "underlinemdsj.site", "diskegraciw.onli", "agentyanlark.site", "possiwreeste.site", "famikyjdiag.site", "commandejorsk.site", "bellykmrebk.site", "delaylacedmn.site"], "Build id": "k99eRC--Bot6"}

Multi AV Scanner detection for domain / URL

Source: https://underlinemdsj.site/api	Virustotal: Detection: 10%			Perma Link
Source: https://famikyjdiag.site/api	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 39%			Perma Link
Source: file.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: delaylacedmn.site
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: writekdmsnu.site
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: agentyanlark.site
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bellykmrebk.site
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: underlinemdsj.site
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: commandejorsk.site
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: possiwreeste.site
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: famikyjdiag.site
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: diskegraciw.onli
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: k99eRC--Bot6

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.166:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_0040F242
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	0_2_0040F242
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	0_2_0044A610
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	0_2_0040F940
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0040F940
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_004109FD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	0_2_00446C3F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	0_2_00446C3F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00446C3F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0040ED69
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea edx, dword ptr [eax+edi]	0_2_0040FEA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_0040FEA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, ebp	0_2_00422063
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	0_2_00434060
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_00434060
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00407070
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	0_2_0044716D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	0_2_00440118
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	0_2_0044711B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	0_2_00434136
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_00434136
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	0_2_0042A1F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0041518E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	0_2_00448190
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+000004F0h]	0_2_00433240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00433240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00433240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00433240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001B8h]	0_2_0041325D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00422260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_004492C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00425320
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0041B330
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, eax	0_2_0040A3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0040A3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00448390
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ebx	0_2_00430399
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00449410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	0_2_00444480
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_004354A6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_0041F552
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000110h]	0_2_0041F552
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	0_2_00445580
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	0_2_00440580
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00449580
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00422673
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004296C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_004446C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_0042268A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00449690
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_004276A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00408750
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, edi	0_2_0042F700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then shrd esi, edx, 00000001h	0_2_00403710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00431720
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	0_2_00420729
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea eax, dword ptr [ebp+04h]	0_2_004407E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00449780
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	0_2_0044A7A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+24h], DEC6D8DEh	0_2_00430810
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3BABA5E0h	0_2_00444960
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00427900
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	0_2_0044A920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00449A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0040DA90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, edi	0_2_0042FAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00404B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	0_2_00444B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00413B7C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	0_2_0042DB00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	0_2_0042DB00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp di, 005Ch	0_2_0041FB39
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	0_2_0041FB39
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0043BBB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	0_2_00448C40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00405C20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00422C90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00441D40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_0041DD55
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00421DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00421DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00414D8D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0040DE20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0042CEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov esi, eax	0_2_00431ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, word ptr [esi]	0_2_00429EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00421DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00421DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00428FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00428FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000005A8h]	0_2_00420F8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 625B6034h	0_2_021AB237
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_021872D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, ebp	0_2_021A22C8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	0_2_021C83F7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_021953F5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	0_2_0218F029
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	0_2_0218F029
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_021A2027
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_021A2027
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0218E087
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov esi, eax	0_2_021B2137
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_021AD14E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000005A8h]	0_2_021A11F1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, eax	0_2_0218A657
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0218A657
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	0_2_021AE685
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	0_2_021C46E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_021B5707
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea edx, dword ptr [eax+edi]	0_2_02190730
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_0219F7B9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_021907D6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	0_2_021C57E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	0_2_021AA457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_021A94CE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_021A94CE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001B8h]	0_2_021934C4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_021A24C7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	0_2_021B44EA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0219B597
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_021A5587
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ebx	0_2_021B05FF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_021C85F7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	0_2_021CAA07
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea eax, dword ptr [ebp+04h]	0_2_021C0A47
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000110h]	0_2_0219FA8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	0_2_0218FAA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	0_2_0218FB30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_021A7B67
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	0_2_021CAB87
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	0_2_0218FBA7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0218FBA7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3BABA5E0h	0_2_021C4BC7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	0_2_021CA877
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_021B48ED
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_021A2900
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_021A7907
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_0218F922
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_021C4927
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_021A9927
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then shrd esi, edx, 00000001h	0_2_02183977
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_021B1987
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_021889B7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_021BBE17
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_02185E87
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	0_2_021C8EA7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_021A2EF7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_021B3EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_021B3EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_021B3F67
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_021B3F67
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_0219DFBC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0218EFCD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_02194FF4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	0_2_021AEC50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0218DCF7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, edi	0_2_021AFD20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+000004F0h]	0_2_021B3DBB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_021B3DBB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+000004F0h]	0_2_021B3DBE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_021B3DBE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+24h], DEC6D8DEh	0_2_021B0DDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	0_2_021C4DC7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_02184DC7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_02193DE3

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49706 -> 172.67.129.166:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 172.67.129.166:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: writekdmsnu.site
Source: Malware configuration extractor	URLs: underlinemdsj.site
Source: Malware configuration extractor	URLs: diskegraciw.onli
Source: Malware configuration extractor	URLs: agentyanlark.site
Source: Malware configuration extractor	URLs: possiwreeste.site
Source: Malware configuration extractor	URLs: famikyjdiag.site
Source: Malware configuration extractor	URLs: commandejorsk.site
Source: Malware configuration extractor	URLs: bellykmrebk.site
Source: Malware configuration extractor	URLs: delaylacedmn.site

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: diskegraciw.online
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: underlinemdsj.site

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: diskegraciw.online
Source: global traffic	DNS traffic detected: DNS query: famikyjdiag.site
Source: global traffic	DNS traffic detected: DNS query: possiwreeste.site
Source: global traffic	DNS traffic detected: DNS query: commandejorsk.site
Source: global traffic	DNS traffic detected: DNS query: underlinemdsj.site
Source: global traffic	DNS traffic detected: DNS query: bellykmrebk.site
Source: global traffic	DNS traffic detected: DNS query: agentyanlark.site
Source: global traffic	DNS traffic detected: DNS query: writekdmsnu.site
Source: global traffic	DNS traffic detected: DNS query: delaylacedmn.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: diskegraciw.online

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agentyanlark.site/api
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/api
Source: file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/api
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/apiH4j
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/api_;
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/apiu49
Source: file.exe, 00000000.00000002.2424428830.000000000061E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diskegraciw.online/api
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://famikyjdiag.site/api
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/#
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2201952640.0000000000668000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900i
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://underlinemdsj.site/api
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://writekdmsnu.site/api

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.166:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00439D70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00439D70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0043A264 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_0043A264

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2424482575.000000000062E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F242	0_2_0040F242
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410A14	0_2_00410A14
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040FEA0	0_2_0040FEA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00434060	0_2_00434060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B010	0_2_0040B010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042F038	0_2_0042F038
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00440118	0_2_00440118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409130	0_2_00409130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00434136	0_2_00434136
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043F1E0	0_2_0043F1E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004492C0	0_2_004492C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401297	0_2_00401297
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405320	0_2_00405320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A3F0	0_2_0040A3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004073B0	0_2_004073B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00449410	0_2_00449410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B4B0	0_2_0040B4B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00449580	0_2_00449580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411600	0_2_00411600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D6F0	0_2_0042D6F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00449690	0_2_00449690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00448740	0_2_00448740
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408750	0_2_00408750
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403710	0_2_00403710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004407E0	0_2_004407E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00449780	0_2_00449780
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041E85A	0_2_0041E85A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042887B	0_2_0042887B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00430810	0_2_00430810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00439880	0_2_00439880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A940	0_2_0040A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041E900	0_2_0041E900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00449A40	0_2_00449A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409AC4	0_2_00409AC4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00444B60	0_2_00444B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042DB00	0_2_0042DB00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00439B00	0_2_00439B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041FB39	0_2_0041FB39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042DBD5	0_2_0042DBD5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00448C40	0_2_00448C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00428D00	0_2_00428D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00428D1C	0_2_00428D1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044AD20	0_2_0044AD20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429DC9	0_2_00429DC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407DB0	0_2_00407DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437E70	0_2_00437E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042CEC0	0_2_0042CEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429EE0	0_2_00429EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410E90	0_2_00410E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BFC0	0_2_0040BFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0218C227	0_2_0218C227
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0218B277	0_2_0218B277
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02181267	0_2_02181267
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02188017	0_2_02188017
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021B80D7	0_2_021B80D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02187617	0_2_02187617
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02185622	0_2_02185622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0218A657	0_2_0218A657
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0218B717	0_2_0218B717
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021814FE	0_2_021814FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02182528	0_2_02182528
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021855D7	0_2_021855D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021C0A47	0_2_021C0A47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021B9AE7	0_2_021B9AE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0218ABA7	0_2_0218ABA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02191867	0_2_02191867
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AD957	0_2_021AD957
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02183977	0_2_02183977
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021889B7	0_2_021889B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021C89A7	0_2_021C89A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021C8EA7	0_2_021C8EA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021CAF87	0_2_021CAF87
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AEC50	0_2_021AEC50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021B9D67	0_2_021B9D67
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021C4DC7	0_2_021C4DC7

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0218CD77 appears 91 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040CB10 appears 57 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0219DE07 appears 112 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041DBA0 appears 150 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 564

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2424482575.000000000062E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/29@10/3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0062F1E6 CreateToolhelp32Snapshot,Module32First,

0_2_0062F1E6

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00437110 CoCreateInstance,

0_2_00437110

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess320

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6fffbd7c-f39b-493e-bb48-dfe6e14cb3b0

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	Virustotal: Detection: 39%
Source: file.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 564
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 628
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 636
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 664
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1088
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 884
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1668

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E2AC push eax; retn 0062h	0_2_0062E30D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E315 push eax; retn 0062h	0_2_0062E30D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006345C2 push 0F56897Eh; iretd	0_2_006345C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E7FE pushad ; iretd	0_2_0062E7D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062E78E pushad ; iretd	0_2_0062E7D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00634792 push 21AC8121h; ret	0_2_006347F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A1092 push 7216F883h; iretd	0_2_021A1097
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A0F62 push 7214F883h; iretd	0_2_021A0F67

Source: file.exe

Static PE information: section name: .text entropy: 7.838427190663764

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 5508

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424508239.000000000065B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWAprilMarchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSune+000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00446BB0 LdrInitializeThunk,

0_2_00446BB0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062EAC3 push dword ptr fs:[00000030h]	0_2_0062EAC3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0218092B mov eax, dword ptr fs:[00000030h]	0_2_0218092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02180D90 mov eax, dword ptr fs:[00000030h]	0_2_02180D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: underlinemdsj.site
Source: file.exe	String found in binary or memory: commandejorsk.site
Source: file.exe	String found in binary or memory: possiwreeste.site
Source: file.exe	String found in binary or memory: famikyjdiag.site
Source: file.exe	String found in binary or memory: diskegraciw.onli
Source: file.exe	String found in binary or memory: delaylacedmn.site
Source: file.exe	String found in binary or memory: writekdmsnu.site
Source: file.exe	String found in binary or memory: agentyanlark.site
Source: file.exe	String found in binary or memory: bellykmrebk.site

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
file.exe	40%	Virustotal	Browse
file.exe	39%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
underlinemdsj.site	1%	Virustotal	Browse
famikyjdiag.site	2%	Virustotal	Browse
possiwreeste.site	3%	Virustotal	Browse
delaylacedmn.site	1%	Virustotal	Browse
agentyanlark.site	1%	Virustotal	Browse
bellykmrebk.site	1%	Virustotal	Browse
writekdmsnu.site	1%	Virustotal	Browse
commandejorsk.site	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://upx.sf.net	0%	URL Reputation	safe
possiwreeste.site	3%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199724331900i	0%	Virustotal		Browse
famikyjdiag.site	2%	Virustotal		Browse
writekdmsnu.site	1%	Virustotal		Browse
agentyanlark.site	1%	Virustotal		Browse
https://bellykmrebk.site/api	1%	Virustotal		Browse
commandejorsk.site	1%	Virustotal		Browse
https://delaylacedmn.site/api	4%	Virustotal		Browse
https://steamcommunity.com/#	0%	Virustotal		Browse
delaylacedmn.site	1%	Virustotal		Browse
https://writekdmsnu.site/api	4%	Virustotal		Browse
https://steamcommunity.com/	0%	Virustotal		Browse
underlinemdsj.site	1%	Virustotal		Browse
https://underlinemdsj.site/api	10%	Virustotal		Browse
bellykmrebk.site	1%	Virustotal		Browse
https://famikyjdiag.site/api	9%	Virustotal		Browse
https://agentyanlark.site/api	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
diskegraciw.online	188.114.96.3	true	true		unknown
steamcommunity.com	104.102.49.254	true	false	0%, Virustotal, Browse	unknown
underlinemdsj.site	172.67.129.166	true	true	1%, Virustotal, Browse	unknown
possiwreeste.site	unknown	unknown	true	3%, Virustotal, Browse	unknown
commandejorsk.site	unknown	unknown	true	1%, Virustotal, Browse	unknown
famikyjdiag.site	unknown	unknown	true	2%, Virustotal, Browse	unknown
writekdmsnu.site	unknown	unknown	true	1%, Virustotal, Browse	unknown
agentyanlark.site	unknown	unknown	true	1%, Virustotal, Browse	unknown
delaylacedmn.site	unknown	unknown	true	1%, Virustotal, Browse	unknown
bellykmrebk.site	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
possiwreeste.site	true	3%, Virustotal, Browse	unknown
commandejorsk.site	true	1%, Virustotal, Browse	unknown
famikyjdiag.site	true	2%, Virustotal, Browse	unknown
writekdmsnu.site	true	1%, Virustotal, Browse	unknown
agentyanlark.site	true	1%, Virustotal, Browse	unknown
diskegraciw.onli	true		unknown
https://diskegraciw.online/api	true		unknown
delaylacedmn.site	true	1%, Virustotal, Browse	unknown
https://underlinemdsj.site/api	true	10%, Virustotal, Browse	unknown
underlinemdsj.site	true	1%, Virustotal, Browse	unknown
bellykmrebk.site	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199724331900i	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://delaylacedmn.site/apiu49	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2201952640.0000000000668000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://bellykmrebk.site/api	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://delaylacedmn.site/api	file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
https://writekdmsnu.site/api	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
https://delaylacedmn.site/apiH4j	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
https://delaylacedmn.site/api_;	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/#	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://famikyjdiag.site/api	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse	unknown
https://agentyanlark.site/api	file.exe, 00000000.00000003.2202093394.0000000000691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2424583172.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	diskegraciw.online	European Union	13335	CLOUDFLARENETUS	true
172.67.129.166	underlinemdsj.site	United States	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522637
Start date and time:	2024-09-30 14:01:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/29@10/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 16 Number of non-executed functions: 193
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:02:11	API Interceptor	3x Sleep call for process: file.exe modified
08:02:35	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	hdcy.emcl00.com/qRCfs/
172.67.129.166	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
172.67.129.166	xin.exe	Get hash	malicious	LummaC	Browse
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zip	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/malt.zip	Get hash	malicious	Unknown	Browse	104.102.49.254
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	Clipboard Hijacker, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	kuly.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
underlinemdsj.site	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.129.166
	xin.exe	Get hash	malicious	LummaC	Browse	172.67.129.166

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.curiosolucky.com/dos/#XaXBlcmFsdGFAc2FuaXRhcy5lcw==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://magical-variation-300980.framer.app/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://magical-variation-300980.framer.app/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://fshjjfetalpacksrlfggghhgfgj.taplink.ws/	Get hash	malicious	HTMLPhisher	Browse	104.19.229.21
	INVOICE DUE..xlsx	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.netigate.se/a/s.aspx?s=1236726X450166796X50614	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	https://linke.to/pkmlogistics	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://metrics.send.hotmart.com/v2/events/click/64ec6af4-7b81-4abf-9e97-fe7d70d45255?d=1nFwG70sgZqlXE	Get hash	malicious	Unknown	Browse	104.18.95.41
CLOUDFLARENETUS	https://www.curiosolucky.com/dos/#XaXBlcmFsdGFAc2FuaXRhcy5lcw==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://magical-variation-300980.framer.app/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://magical-variation-300980.framer.app/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://fshjjfetalpacksrlfggghhgfgj.taplink.ws/	Get hash	malicious	HTMLPhisher	Browse	104.19.229.21
	INVOICE DUE..xlsx	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.netigate.se/a/s.aspx?s=1236726X450166796X50614	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	https://linke.to/pkmlogistics	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://metrics.send.hotmart.com/v2/events/click/64ec6af4-7b81-4abf-9e97-fe7d70d45255?d=1nFwG70sgZqlXE	Get hash	malicious	Unknown	Browse	104.18.95.41
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	https://content.app-us1.com/5zbe53/2024/09/30/8d9df716-ca99-47ed-825e-d3a2a0e6cd9e.pdf	Get hash	malicious	HTMLPhisher	Browse	23.47.168.24
	Tonincasa Updated Employee sheet .pdf	Get hash	malicious	HTMLPhisher	Browse	104.77.220.172
	MagicUtilities-Setup-3.1.4.5-Win10.exe	Get hash	malicious	Unknown	Browse	184.28.90.27
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zip	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/malt.zip	Get hash	malicious	Unknown	Browse	104.102.49.254
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.129.166 188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.129.166 188.114.96.3
	PO554830092024.xls	Get hash	malicious	Unknown	Browse	172.67.129.166 188.114.96.3
	PI#0034250924.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.129.166 188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.129.166 188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.129.166 188.114.96.3
	Transmission Cost Database 2.0.xlsb	Get hash	malicious	Unknown	Browse	172.67.129.166 188.114.96.3
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zip	Get hash	malicious	LummaC	Browse	172.67.129.166 188.114.96.3
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.129.166 188.114.96.3
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	172.67.129.166 188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_b74f308923c8e8441a81d87f1d6d177acdd8a4_85207d7d_3f7ce61f-b630-4548-969c-0704773cacc8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.586702952276687
Encrypted:	false
SSDEEP:	96:4dF8ic5GovvsQhMov7RmS3QXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAK6f/Vd:438ic5Govvq0WbkQzuiFnZ24IO8ep
MD5:	775F62ADF2AB15B561CA6FD3CFD3333E
SHA1:	F498C3EE4B1BA9F7675D8E3A6C4E5042AFDB5197
SHA-256:	1A3FCC5EDB73F894B9D83C8CF6CF2D33211846727BF88F8BC933BB4FF642074C
SHA-512:	702E020C2711566145A83D86EAA2740BC4DBB483B4A76CE3101B7AA4EAF4CA8E137D129ECC050FEA37370E7C8078DEAD490C2001F75C5B01216FA106CAFF193A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.1.3.3.3.6.4.7.1.4.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.7.1.3.3.7.8.8.1.5.0.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.7.c.e.6.1.f.-.b.6.3.0.-.4.5.4.8.-.9.6.9.c.-.0.7.0.4.7.7.3.c.a.c.c.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.e.c.7.5.7.6.-.8.9.0.9.-.4.5.7.9.-.8.6.9.f.-.e.4.c.7.d.1.b.2.4.d.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.4.0.-.0.0.0.1.-.0.0.1.4.-.4.b.e.5.-.a.b.8.e.3.0.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.a.5.e.0.d.d.e.f.9.7.5.b.c.7.9.2.8.c.3.a.f.7.d.5.6.0.8.0.2.7.6.2.1.6.c.6.a.3.2.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_2f6dbba0-17a5-4a1a-8cb9-77733719e7ba\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8829649950853332
Encrypted:	false
SSDEEP:	192:hac5GovkPl1056rrE3j/o8zuiFMZ24IO8ThB:QykNW56rwjxzuiFMY4IO8r
MD5:	62384160BBA1FC28C51683B9D0D15C70
SHA1:	1EFE3C8B2E484448C74DBA3B61262D9677C60666
SHA-256:	70861448201DA86635D670C1399AA601856BA66F219C5D31880C343D57456647
SHA-512:	13E0FA8727A544AC0984E6FCBBCB7428FE3AF668F781A9ED365B6833E4AF464FB178E26C6801CA68FF274560F8DE256DCC3CF11103A8029FF0D5AA9C9C9EAB69
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.1.3.3.0.6.4.3.1.8.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.6.d.b.b.a.0.-.1.7.a.5.-.4.a.1.a.-.8.c.b.9.-.7.7.7.3.3.7.1.9.e.7.b.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.8.8.a.5.4.3.-.b.5.b.8.-.4.4.3.7.-.8.5.f.3.-.8.7.9.7.b.d.4.e.2.c.8.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.4.0.-.0.0.0.1.-.0.0.1.4.-.4.b.e.5.-.a.b.8.e.3.0.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.a.5.e.0.d.d.e.f.9.7.5.b.c.7.9.2.8.c.3.a.f.7.d.5.6.0.8.0.2.7.6.2.1.6.c.6.a.3.2.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.7.:.1.6.:.2.2.:.2.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_40863313-8c37-4cc6-94d9-423ab9d146ca\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9168544025906171
Encrypted:	false
SSDEEP:	192:HEac5GovBPl1056rrE3j/o1zuiFMZ24IO8ThB:lyBNW56rwjwzuiFMY4IO8r
MD5:	DB2F8808667F15CFB53E34C55A41A80B
SHA1:	89FD4D55587A59A5854A9FC6E3141EF201EE84D9
SHA-256:	3796DA3D64A73FF814E0A2EC5E1DBE09646069CDBD63FF26EA75DED50B8A7250
SHA-512:	A1E42F5514BD0ECD37D75C201DEF582F7F7244B220410F31AC0154F76A8C0B37678CCCECAC8EE23243364E53A1314686CC126969ED04E7DAB8F36B1861E4B453
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.1.3.3.2.0.6.7.2.8.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.8.6.3.3.1.3.-.8.c.3.7.-.4.c.c.6.-.9.4.d.9.-.4.2.3.a.b.9.d.1.4.6.c.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.f.6.7.0.9.1.-.d.b.3.f.-.4.0.c.f.-.8.1.e.a.-.a.5.e.1.6.1.2.8.6.2.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.4.0.-.0.0.0.1.-.0.0.1.4.-.4.b.e.5.-.a.b.8.e.3.0.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.a.5.e.0.d.d.e.f.9.7.5.b.c.7.9.2.8.c.3.a.f.7.d.5.6.0.8.0.2.7.6.2.1.6.c.6.a.3.2.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.7.:.1.6.:.2.2.:.2.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_787f3a4b-fbba-4f88-bfc1-e8c5ed65ad86\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8139032786068371
Encrypted:	false
SSDEEP:	192:2Eac5GovDPl1056rrE3j/VzuiFMZ24IO8ThB:IyDNW56rwjtzuiFMY4IO8r
MD5:	01BD4D7C72729F18E321E865DAB0B320
SHA1:	741027DBF1A0347757B3A9B24AE1EB3361D67B72
SHA-256:	047EB4C0D8050F3FED84757E49660867A9946D63D6CB728C0775BB3D0D74B30F
SHA-512:	27846B1F3EFDCDCBCBA5B5D187D165CBCEB4793E99AB785CD2F68F168BAD6BDF4BA1A7BD3864BACAFA9C320142C68BCF7E77F90020CD6C8E907D82CA75186612
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.1.3.2.9.3.9.8.0.8.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.7.f.3.a.4.b.-.f.b.b.a.-.4.f.8.8.-.b.f.c.1.-.e.8.c.5.e.d.6.5.a.d.8.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.b.4.7.5.9.7.-.f.2.5.0.-.4.c.2.f.-.a.f.9.f.-.8.d.1.f.e.9.5.c.4.7.1.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.4.0.-.0.0.0.1.-.0.0.1.4.-.4.b.e.5.-.a.b.8.e.3.0.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.a.5.e.0.d.d.e.f.9.7.5.b.c.7.9.2.8.c.3.a.f.7.d.5.6.0.8.0.2.7.6.2.1.6.c.6.a.3.2.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.7.:.1.6.:.2.2.:.2.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_7d989db4-cfd3-48a7-9c97-e7906e6376f5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7709776830389877
Encrypted:	false
SSDEEP:	192:eac5GoviPl1056rrE3j/PzuiFMZ24IO8ThB:zyiNW56rwj3zuiFMY4IO8r
MD5:	A73A54A50BD4039723A4C300F7267008
SHA1:	BD2DBF44D28CF5F7BA5EE8C848907FC58E7AC7D3
SHA-256:	F53C93C33A4D73B17CB6AC7F7E57A56798A8CF13B3257A48B3CA604909774736
SHA-512:	348E3BB16262352B22CC57F0916772F1141263EB0BA0B62D2A56A28B0D894872B3D8C8639B8DB39A79C886C82C34BAFFBE9026076E0A6D38C95AFEEAA419D6CA
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.1.3.2.6.7.9.5.2.5.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.9.8.9.d.b.4.-.c.f.d.3.-.4.8.a.7.-.9.c.9.7.-.e.7.9.0.6.e.6.3.7.6.f.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.8.e.b.b.3.3.-.f.3.8.3.-.4.1.8.f.-.b.c.e.9.-.e.8.1.b.7.7.1.7.e.4.2.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.4.0.-.0.0.0.1.-.0.0.1.4.-.4.b.e.5.-.a.b.8.e.3.0.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.a.5.e.0.d.d.e.f.9.7.5.b.c.7.9.2.8.c.3.a.f.7.d.5.6.0.8.0.2.7.6.2.1.6.c.6.a.3.2.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.7.:.1.6.:.2.2.:.2.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_f0f65fa3-ef24-4b74-abe3-6938cc277839\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8065882726438097
Encrypted:	false
SSDEEP:	192:cac5GovGPl1056rrE3j/NzuiFMZ24IO8ThB:9yGNW56rwjVzuiFMY4IO8r
MD5:	2D89C0AA64552A47E33CFD9A431D199B
SHA1:	702062FEDB6339D0ADFBC72998D7122F1ABAE620
SHA-256:	8D29F6621A0AA6EABA88FC4D07B383E7654CF652781142CA719676D0D472D599
SHA-512:	D46725D0075D304D9CC0619C99527C4D33F90E30C05929969A8389C26BFCBA354EE2158BD25C0260AE03D9CE65C99C95D481742D831F1B220E8E86ECA7801851
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.1.3.2.8.2.4.5.8.4.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.0.f.6.5.f.a.3.-.e.f.2.4.-.4.b.7.4.-.a.b.e.3.-.6.9.3.8.c.c.2.7.7.8.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.a.d.a.0.6.c.-.8.a.a.5.-.4.a.6.3.-.8.c.d.2.-.a.8.6.8.7.f.0.b.2.a.3.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.4.0.-.0.0.0.1.-.0.0.1.4.-.4.b.e.5.-.a.b.8.e.3.0.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.a.5.e.0.d.d.e.f.9.7.5.b.c.7.9.2.8.c.3.a.f.7.d.5.6.0.8.0.2.7.6.2.1.6.c.6.a.3.2.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.7.:.1.6.:.2.2.:.2.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_f685cb8d-656a-4568-bf4b-035c02b730f9\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8066901615500042
Encrypted:	false
SSDEEP:	192:3ac5GovAPl1056rrE3j/NzuiFMZ24IO8ThB:yyANW56rwjVzuiFMY4IO8r
MD5:	F6F0F9738022F524F91502F62AF43B4E
SHA1:	CCE87F28378B1730C74A91C6E675A44358E6DDF2
SHA-256:	0E1D6C5355C1500B41D71A3B00102E53613500CE00C29EAC704BE40DD17E7E3D
SHA-512:	F20FB664FF988D471B3E80E441E21C40451606A5595C3316215EA0A796F6898C12A98FA4A670D4D7BAB8010CF8D0F3EE8CFE97F44A04C87FA0143AF03AB71D8B
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.1.3.2.7.6.1.7.8.1.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.8.5.c.b.8.d.-.6.5.6.a.-.4.5.6.8.-.b.f.4.b.-.0.3.5.c.0.2.b.7.3.0.f.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.a.d.f.a.a.9.-.2.8.8.4.-.4.d.5.8.-.b.f.7.0.-.a.1.d.9.4.7.f.0.6.6.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.4.0.-.0.0.0.1.-.0.0.1.4.-.4.b.e.5.-.a.b.8.e.3.0.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.a.5.e.0.d.d.e.f.9.7.5.b.c.7.9.2.8.c.3.a.f.7.d.5.6.0.8.0.2.7.6.2.1.6.c.6.a.3.2.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.7.:.1.6.:.2.2.:.2.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8932.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	49602
Entropy (8bit):	2.1161320141584747
Encrypted:	false
SSDEEP:	192:oTtX9ntOydzNUBwPf4xYj3zI9/aX9dR4TpdnYqyfAO6w50J:GgydzNswPPy29dIyfABLJ
MD5:	39238987A7874594A1A78F89F13DFE5B
SHA1:	A7532868B1EC9ED488AC5581B66B833D7D934C42
SHA-256:	74F3D4421E3B4FC31300F0DB7FE59051C58731386DA2F429D523D6E0EA0A4BD9
SHA-512:	3569F9AA279A1EE0DA2E92DFBE142CADE706723CCDDCEB9235EFAF9EA8561C62A97631F63C8755DA8EC39FF3ADF3AC640BDDDB10DBB2256FFC25BDA94AACF618
Malicious:	false
Preview:	MDMP..a..... .......>..f........................h...........$...@............'..........`.......8...........T...............2...........d...........P...............................................................................eJ..............GenuineIntel............T.......@...9..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER89C0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8324
Entropy (8bit):	3.699270971893969
Encrypted:	false
SSDEEP:	192:R6l7wVeJDCO6fhdd6YEIVSU9nlgmfBbXpBX89bbpsfBpm:R6lXJn65dd6YEaSU9nlgmfNQbCfe
MD5:	906BFEEC356FD913C046F6A95746365F
SHA1:	89943257229E593C7FE2F7F422E6464817EB5D1B
SHA-256:	88EEDFA7FCF802F1309B7B861B362E33A5D87F8B1E80C5CD6B0283B3BE21A453
SHA-512:	84CD3E525AF060676508885DDA62259E9A539B7DE2826F95BB6B220EF3A1C9FD6D2F9B75847153565C47506E421679DD28677E35524715EC48071BB9C916F8E9
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A2E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4589
Entropy (8bit):	4.47265461363133
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8tJg77aI9v0WpW8VYEYm8M4JYCFQ+q8BvM85udid:uIjf8HI7pt7VoJm4rudid
MD5:	73D4F020AF52A2AF424BEB2DA2179B10
SHA1:	2B5BAC6B5085BF18B0005441923C929E05322770
SHA-256:	3CAC0A9EE90EE6CB771404F7784EF4798EB1B82F8870985CE87B365B02E2ED39
SHA-512:	3D612A297EDA3F51226115832F783ABDCE5287878B36E07E03C1AFBC8E7E7448C99C596740FC8F9EC85236A3E8569761B6E22E5C7294493C0088205F4ED82DB3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522904" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C6E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	60674
Entropy (8bit):	1.9656217517497645
Encrypted:	false
SSDEEP:	192:JofBdXSyOysOtOG6zGJjcz9hK0m4HS43zI9/aX9dR4TpdnYXEzO/wCQM:+7OyCG6zGJjcz9hfZy29dtEzOa
MD5:	4139355F071E355F243AEAD2ED35FEA3
SHA1:	B8990E64BA94319283ADFF3A51F9749B7C99E187
SHA-256:	B147B9D9B998A25FE3E9DB85E6C93568C7F80C6C18939BA4733874508DB02B04
SHA-512:	BD2109593E8F8269F88E1B45ECD345C8FED6EBA60F631BBC660702571882826EDF777980C3B9396564C288009DD2C69AC963FEF6AA702DCBFAB43306B5F29510
Malicious:	false
Preview:	MDMP..a..... .......?..f............$...............8.......$................/..........`.......8...........T.......................................................................................................................eJ......d.......GenuineIntel............T.......@...9..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CCD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8322
Entropy (8bit):	3.701257304115169
Encrypted:	false
SSDEEP:	192:R6l7wVeJDCr6GaCk6YEIqSU9Q5gmfBbXpBp89bUbpsfhAajm:R6lXJS6GaCk6YElSU9Q5gmfNeUbCfH6
MD5:	F812DF71AF238E393EBAA45E1606A928
SHA1:	7981E26E4BF59F22864AB724483FFFDFFC1240F4
SHA-256:	6D8F842054EF4AA941E0D00E2FEE11F32AF807BD5C0B8CD2479F58F15ABDEA09
SHA-512:	21D30018980C64383C8B9D36028A75B8B4B1D9F38F9477A12BDCDA5C4507E53981FB528CCC77734B1A9DC578DBF71D35F790032D797140BE7856CB0552CA533E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D0D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4589
Entropy (8bit):	4.469829293776616
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8tJg77aI9v0WpW8VYhYm8M4JYCFT+q8BvM85udid:uIjf8HI7pt7VRJR4rudid
MD5:	9D38053FFA1C67DCB0EE4DA2C89B2316
SHA1:	D86D0EC8ABEE52E5D29D4D3F3BD87F8FD620B7D2
SHA-256:	76DCE910AA2D424BACD16CC66C973D2066CA475C9C4690D971B496324D0D7BFC
SHA-512:	B03344792C9DB746FE1DF9D386F8E499B0F3EA65840D78FAB1303232CA8E2A918109011208E9D560CAC329D82E481D2184E6D93AE6C8CA36794BFF7AECF0D779
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522904" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	68936
Entropy (8bit):	1.9734621787890447
Encrypted:	false
SSDEEP:	192:eLHRdX2R+kQtOG9lXz60z9PUS4fUicRx7kJsJ73zI9/aX9dR4TpdnYptUWYLiJKR:kH8+kHG9J3z9ZicRxasJHy29d7tUG
MD5:	65F3F1B5A79A4DEFE66E8004629A4EBD
SHA1:	54D2DBCD7745CBEC9A952B34B0ACE07739A9FF99
SHA-256:	B05296254318D0AF72CC06326681D49E8E5B22888D3E9CAC956A03EC0A480A91
SHA-512:	572B142077DBDAC95C97FF8B20841A8BB02FDED1210F14C20BF0147CFA14072A2E72419C2FBF24443096F72B1376A3E65C803FA0F161419F2BAE4D57A859BD10
Malicious:	false
Preview:	MDMP..a..... .......@..f............T...............h.......$...........D....2..........`.......8...........T...........X...........................................................................................................eJ..............GenuineIntel............T.......@...9..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F4E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8322
Entropy (8bit):	3.699888323918876
Encrypted:	false
SSDEEP:	192:R6l7wVeJDCc6SzXP6YEIsSU9QigmfBbXpBT89bFpsfl3m:R6lXJF6Szf6YEjSU9QigmfNMFCf4
MD5:	1991C1C3D609800A6DB5200C9C07E688
SHA1:	6259F3435549537DC0353A3999B8643E9603245D
SHA-256:	9B4AF6BFC14E080560C43D10C027B8FB46660F7626FCB1FA82FBC7EC6DF78B3F
SHA-512:	9C1A2733D91A4FE78C939EDD3BDFA2C306CC70E13BDA6096DA88F059FA1542A9D740A5740BAA86290710254EA65F831B17C68E51710E7F227866A554F02F8878
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F6E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4589
Entropy (8bit):	4.467139368019084
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8tJg77aI9v0WpW8VYPYm8M4JYCFrys+q8BvM85udid:uIjf8HI7pt7V/JV4rudid
MD5:	304BE06AED009BF7F69383925E8FE0DB
SHA1:	D9136CEE71EB8B193CABF43629A9730219769966
SHA-256:	70DE4F63A2102704864C9F43DD037F5056B5AB498F7F032B9721B1BBE53D1D63
SHA-512:	F22DBEC69F79A2307C25847C0B186D626C39CA9D210974EC21B02ACF7BE645089CF5617173CE5E003784C7FFB82C2DF36E65F1F694CF42A3B8AE4B8F3C295B1C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522904" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9373.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	74284
Entropy (8bit):	2.13658373263499
Encrypted:	false
SSDEEP:	384:IOOPI4GGJ4HBzdIJ9Wg7Irm29dEHm240x:PD4Gq4hpzVq0
MD5:	9196C8F7DCAC7E0B1DFB3CA0BBA71788
SHA1:	99F2DCB0119CD41381209F72A0EBEDB2CAE2E289
SHA-256:	C3EB476AC5B56B07050A797B6C820019FB864BF0EDEADD09C43DCFC9CF47C9A4
SHA-512:	5BC02B893F7048D843A12B644EF0251E555EB45DB1050624F0A5EED472E9F98ADA2E7F4DEC3A23ECD98C167623F29F4A2B66E1ABBDB52761ED759C7F4A615D32
Malicious:	false
Preview:	MDMP..a..... .......A..f............T...............h.......$...X.......D...>3..........`.......8...........T...........................\|...........h...............................................................................eJ..............GenuineIntel............T.......@...9..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9401.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8322
Entropy (8bit):	3.699484218168865
Encrypted:	false
SSDEEP:	192:R6l7wVeJDC862R6YEIySU9QigmfBbXpB089b8psf+0m:R6lXJF646YE9SU9QigmfNZ8Cfk
MD5:	DFE93D67ED92D6C71C1FC38F17AEB810
SHA1:	65A1AAAEE837E78B5FC7DF2B96E04AF7444CA60D
SHA-256:	361760835FF2FCD8047B6AA978F55DB3DFE7DD6D5665DDF4815493E8B795DA23
SHA-512:	B4E93D61FEA98449EA97AD53F703EAA2F2BA2D2000985FA4F2B49CE5D612476BA2183EF636E4E21CC2F1A052CE81712E05917EAD3060E3443AEA89DE269004F1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9421.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4589
Entropy (8bit):	4.470751533949114
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8tJg77aI9v0WpW8VY+Ym8M4JYCFA+q8BvM85udid:uIjf8HI7pt7VSJm4rudid
MD5:	41433540CB644B8C69CF5BE8911C1E97
SHA1:	1CEF741A9927D069C0371FB102F6D4460C27622D
SHA-256:	DD0D91D9C7667BB25E68CCF9906D72C3F34C426D960DC70DF429682088243D7E
SHA-512:	44CFA3448C28CEFF9EFDE3724E409CACD2B03DC7D59B0D1D211F580B0AA83123A41BEE7F5E7F435F2E9E2C63CB2BF1439FBE9C0AF5FDCAAF1CF8EF935D26CFC2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522904" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9855.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:10 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	86080
Entropy (8bit):	2.1436717177961593
Encrypted:	false
SSDEEP:	384:3QBaX17EGBltJRzdLJvABdaHm29KDilcmEIh5lAA:gSEGBl7RVJv24EBmEINA
MD5:	5C490793FF401B2131D1C29D2715CC42
SHA1:	66D9D33949E390875C5FAA15BE0FA66727E7071A
SHA-256:	4FCD5EBD09FD29A8A6142776396AE992E9DF5163161F4042B67F5615ADC2442D
SHA-512:	64E02256DEDF17E84568AB93C91B7D8235379890ADF3D05355951419BDB0FFB3D699B07741173BDA597EEABCB25DBF1EDE3A5FD84A2CBB4363716F13FCE96092
Malicious:	false
Preview:	MDMP..a..... .......B..f........................(...........$................;..........`.......8...........T............+..p$......................................................................................................eJ......h.......GenuineIntel............T.......@...9..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9912.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8322
Entropy (8bit):	3.699773204411995
Encrypted:	false
SSDEEP:	192:R6l7wVeJDCr6gQR6YEI7SU9H7gmfBbXpBM89bcpsf4Um:R6lXJi6Z6YE0SU9H7gmfNBcCfq
MD5:	1420199E2DFB33D5BCDBF95DB26FBCDB
SHA1:	3EEBB1AEF6A1BB766735E9916040DEB6A48558E0
SHA-256:	CBFFEA5998A03B21E35B225DD4640A360AB9CDB71AF97C0B00D7C40EA8330D25
SHA-512:	0287B222D58BB3DDF37D8C8EE6FF098BF0C58F0565AF7D4FEF10FB325CCD96313FC61E663DC26CA24B479CF26B38665F399DFCA16DC0317A5821A427E25CC971
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9942.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4589
Entropy (8bit):	4.474155667806122
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8tJg77aI9v0WpW8VYCYm8M4JYCFTYo+q8BvM85udid:uIjf8HI7pt7V6JVYo4rudid
MD5:	98FD9DA351356A3122378B8D86C70C9D
SHA1:	677AF4D9765A07E298AA1FBB92F1B0489F213B61
SHA-256:	C4710BCEA2353F2B4521BCAFB12DB0FB9C8DD7D967F77EF7B3E93D7770C5CECA
SHA-512:	96337C67DE9FD82CC382D83BAA8704601AE36F4A311FB22833909D9D00DBEBDAB9866778D2747B57DA294DBDC3157E48AB7F3F547691D5D79491BDF8211FEF20
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522904" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DD4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	93886
Entropy (8bit):	2.0447391029383084
Encrypted:	false
SSDEEP:	384:qvU92XGBLC/Jizd7/2BgkLDTBo4Uoqhf7PBMELM:8VXGBMi9ut1o4ijP4
MD5:	AE8C33D7AB4D51FDFA147E10733A96F2
SHA1:	42B34A3771E33B834CF36276EFBC3805E239C7B8
SHA-256:	ED4A10BD01DF028AC2E227F4B68A115A19368D65397DF430F7598B5C761BF80D
SHA-512:	525F10F422E1BA404BEE7CDAB8B050873DB8A51813536E2780AC5DB49E8A3BE1B6F1A9266B5B3F9A5A2B1530EF405192C9E4E1C6B564CCDC1F32D7E713BAE6CD
Malicious:	false
Preview:	MDMP..a..... .......D..f........................D...........$...............4A..........`.......8...........T...........p;..N3..........0...........................................................................................eJ..............GenuineIntel............T.......@...9..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E52.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8324
Entropy (8bit):	3.700688066867433
Encrypted:	false
SSDEEP:	192:R6l7wVeJDCV6qqQ6YEI3SU9TkgmfBbXpB089bOpsfhw6m:R6lXJk6A6YE4SU9TkgmfNpOCfG
MD5:	29E22213F546695BA21487E08ACFAF9F
SHA1:	E58114B42679FBF10497416C6EC584CC95F930D2
SHA-256:	180DCFD4C97924C1692D73A512950785D79591DD7BB64FF91CADF5426F1C4B91
SHA-512:	11865ABD6AAFAF56EBDAF0E0079923E14ABB61B232C476311668E454CE6274C67EDE0DD3D3B6B6A87F6006788E84655839323AD97970728260693839F33BCA43
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E91.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4589
Entropy (8bit):	4.468726886316914
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8tJg77aI9v0WpW8VYu2Ym8M4JYCFv+q8BvM85udid:uIjf8HI7pt7VvJB4rudid
MD5:	E5B81F2C14CBC5898667403B1CD8BFED
SHA1:	FE9D0E548EDD8B8EF2630CEDF6F61F8868742E29
SHA-256:	5D768519588B35DAADFAEAF44C791162BB96FD1514BB5B460C17A3BB37B8336D
SHA-512:	A3C11F3969D85ED67CCD9163E0E726CBEF67D93865F99BE08AB24472B61156119972950D92EF62EEEBE71C7350773105FC7E94D399D521F45E5BCD37C9E0CB6E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522904" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3CF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8372
Entropy (8bit):	3.676289087971238
Encrypted:	false
SSDEEP:	192:R6l7wVeJDCU6qB6YEI7SU9YtFgmf03prB89bzpsfbxm:R6lXJV6qB6YE0SU9gFgmf0UzCfA
MD5:	A4BA227336413EBEB68C0A3F9AAC37FD
SHA1:	A27371F4F36A22F188B3E14EF78F71E4E33D9D7B
SHA-256:	9CD2DA4DD320E983687F6183C23B578CB9E33198280FE01C80BD73BD93730E42
SHA-512:	F3E483AF791685A036AD669BDC040C37F6219879C9A654AF14C4D4FE30263C0BD8D1C99F65A27ABAD771447D8AC70DDA697A1A6419028CD8152C7738AF15DB0A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3FE.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4667
Entropy (8bit):	4.42655833637981
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8tJg77aI9v0WpW8VYrzYm8M4JTK6F1+q8vHKpM85udid:uIjf8HI7pt7VmmJGyKqprudid
MD5:	5DFD8DEB878E19DBB3BAABB7A96877F1
SHA1:	1430BF060722232F557425E3B0235F3BB956F93D
SHA-256:	A958ED4A651C62AA44FBB73E08CB5C96AED465E8500C36BE437211721A17EB37
SHA-512:	F079A6898A1056FCD62BE6713245D57F8E7C1337C7C7DDC37DCF89754570A9E8D697581F2C8F9AA2DDCFF0D40483FBD418FEF4FE8414949F5D5A57F9EECDD0EF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522904" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\WERA40E.tmp.WERDataCollectionStatus.txt

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4878
Entropy (8bit):	3.255567946469748
Encrypted:	false
SSDEEP:	96:pwpIiAkXkkXykmtuWL0QSw0Qp0Qg90QXk0QDT0QkGa4gWXMf8szeuzSzbxGQI5lc:p1lT7u7we358oeyOkNXQ
MD5:	91EDD38C7A549811A666118B48381B51
SHA1:	4D078A23EBD669B875294D1BA095884FCFF99F74
SHA-256:	B6DACEA5EE6C63EEA63FB4CB1AB42463FDE6CAB243D1658BC70C99C03254A800
SHA-512:	2763F5BCF1102AAD1926322365D19CEFBF3BD1343191C20DF3C70D2B779859F9A92A04FDCE95B4F6BA921A5F23D2A3A61BD9653A4241DAD37A1F85A2058FFB9A
Malicious:	false
Preview:	......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .4.4.4.8.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .3.7.1.4.6. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .9. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .1.7.2.8. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.6.9.2.9.8.1.9. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . .

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421307585631249
Encrypted:	false
SSDEEP:	6144:2Svfpi6ceLP/9skLmb0OTvWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:VvloTvW+EZMM6DFy403w
MD5:	195835798DEA16ADBE8D07F59012A92E
SHA1:	D0056AA5E5B8AF613081D76C4D173C5CEB06C934
SHA-256:	1AEF191D3F27210166278838E54B083F3DB7FC0D063993EF548FBB61552CC67E
SHA-512:	3E64CB759D0F674E1DC1E6E8704D18C606F5DE50D53709E7283AC2704683A025841339F534EB4BF1276F0F788E5AA8D4A7C62D382B2A54763B0128084B5F6FBE
Malicious:	false
Preview:	regfD...D....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.\|..0...............................................................................................................................................................................................................................................................................................................................................,...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.082804048749974
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	379'392 bytes
MD5:	245f52e7267ef7042583d20b32023967
SHA1:	ba5e0ddef975bc7928c3af7d56080276216c6a32
SHA256:	5db8ed24d791ca0f05f6df8517b679a456059a09ffd10b0cca1e83d27818fd8f
SHA512:	13a25386d3017d5619bcca53580b81a993a524a25cdbc22f5af29cce082cc7c986afe6d4f139cffc7f93d88b050f0d9a98ed07073490458eb674c19de112524d
SSDEEP:	6144:2Lm2GnCkzwT3jRTtwxJuB1oI1rfAjNowcp+XnT6VSy2DH:2C21yqC3IoItfAjNoj+3T6Ey2z
TLSH:	DC846B23EEE1BC11EAA647318F3996D92B2FBE619D75534D31103E0E29721B0D54AF32
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.a.....F.......F.......F.......F..4=...F...G...F.......F.......F.......F.Rich..F.........PE..L...N.ne...........

File Icon


Icon Hash:	738733b18ba38be4

Static PE Info

General

Entrypoint:	0x40151c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x656ECF4E [Tue Dec 5 07:20:46 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	eb865bbda5c0f6f3a0041e74d558d3f8

Entrypoint Preview

Instruction
call 00007FFB74E919F5h
jmp 00007FFB74E8DBEEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0043EAF8h], eax
mov dword ptr [0043EAF4h], ecx
mov dword ptr [0043EAF0h], edx
mov dword ptr [0043EAECh], ebx
mov dword ptr [0043EAE8h], esi
mov dword ptr [0043EAE4h], edi
mov word ptr [0043EB10h], ss
mov word ptr [0043EB04h], cs
mov word ptr [0043EAE0h], ds
mov word ptr [0043EADCh], es
mov word ptr [0043EAD8h], fs
mov word ptr [0043EAD4h], gs
pushfd
pop dword ptr [0043EB08h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043EAFCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0043EB00h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0043EB0Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0043EA48h], 00010001h
mov eax, dword ptr [0043EB00h]
mov dword ptr [0043E9FCh], eax
mov dword ptr [0043E9F0h], C0000409h
mov dword ptr [0043E9F4h], 00000001h
mov eax, dword ptr [0043D004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0043D008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000E4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b8ec	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x138000	0x1f978	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3b4d8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a000	0x1b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3866f	0x38800	e7279660b79c381c49f4eac402a2797d	False	0.9004511200221239	data	7.838427190663764	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3a000	0x22fe	0x2400	b94dc4e30ebd758b0a95e3c215a169e8	False	0.3672960069444444	data	5.5455380957866955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0xf92b8	0x1a00	54309c1151aa5e97e3771ed2ebba6702	False	0.24308894230769232	data	2.52634770779389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x137000	0x51d	0x600	53e979547d8c2ea86560ac45de08ae25	False	0.013020833333333334	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x138000	0x1f978	0x1fa00	ef327e0dc82b168ae1808ec1300429fb	False	0.4192116477272727	data	5.114448978681931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x150178	0x2	data			5.0
BUXILODUGEDUPUCEGAT	0x14f580	0xbf7	ASCII text, with very long lines (3063), with no line terminators	Turkish	Turkey	0.6000652954619654
RT_CURSOR	0x150180	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x1502b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x138b10	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5738272921108742
RT_ICON	0x1399b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6502707581227437
RT_ICON	0x13a260	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.7056451612903226
RT_ICON	0x13a928	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7557803468208093
RT_ICON	0x13ae90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5276970954356847
RT_ICON	0x13d438	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6343808630393997
RT_ICON	0x13e4e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6442622950819672
RT_ICON	0x13ee68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7774822695035462
RT_ICON	0x13f348	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.34328358208955223
RT_ICON	0x1401f0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5333935018050542
RT_ICON	0x140a98	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6065668202764977
RT_ICON	0x141160	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6632947976878613
RT_ICON	0x1416c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.4298755186721992
RT_ICON	0x143c70	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5118852459016393
RT_ICON	0x1445f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5106382978723404
RT_ICON	0x144ac8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39712153518123666
RT_ICON	0x145970	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5582129963898917
RT_ICON	0x146218	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6267281105990783
RT_ICON	0x1468e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6416184971098265
RT_ICON	0x146e48	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.4477016885553471
RT_ICON	0x147ef0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.43934426229508194
RT_ICON	0x148878	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.48138297872340424
RT_ICON	0x148d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.3307569296375267
RT_ICON	0x149bf0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.40252707581227437
RT_ICON	0x14a498	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.3986175115207373
RT_ICON	0x14ab60	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.40534682080924855
RT_ICON	0x14b0c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.15809128630705394
RT_ICON	0x14d670	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.17847091932457787
RT_ICON	0x14e718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.21147540983606558
RT_ICON	0x14f0a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.23670212765957446
RT_STRING	0x152a28	0x404	data			0.4494163424124514
RT_STRING	0x152e30	0x568	data			0.4407514450867052
RT_STRING	0x153398	0x532	data			0.44511278195488724
RT_STRING	0x1538d0	0x7bc	data			0.4222222222222222
RT_STRING	0x154090	0x92a	data			0.4121909633418585
RT_STRING	0x1549c0	0x700	data			0.4291294642857143
RT_STRING	0x1550c0	0x524	data			0.45440729483282677
RT_STRING	0x1555e8	0x708	data			0.4272222222222222
RT_STRING	0x155cf0	0x75e	data			0.4236479321314952
RT_STRING	0x156450	0x730	data			0.4260869565217391
RT_STRING	0x156b80	0x842	data			0.4195837275307474
RT_STRING	0x1573c8	0x50a	data			0.44108527131782943
RT_STRING	0x1578d8	0x9c	data			0.6025641025641025
RT_GROUP_CURSOR	0x152858	0x22	data			1.088235294117647
RT_GROUP_ICON	0x144a60	0x68	data	Turkish	Turkey	0.7019230769230769
RT_GROUP_ICON	0x14f508	0x76	data	Turkish	Turkey	0.6779661016949152
RT_GROUP_ICON	0x13f2d0	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x148ce0	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x152880	0x1a8	data			0.5825471698113207

Imports

DLL	Import
KERNEL32.dll	SearchPathW, DebugActiveProcessStop, OpenJobObjectA, ReadConsoleA, QueryDosDeviceA, GetEnvironmentStringsW, WaitForSingleObject, InterlockedCompareExchange, GetComputerNameW, GetNumaAvailableMemoryNode, SetCommBreak, BackupSeek, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, GetPriorityClass, GetVolumeInformationA, GetConsoleMode, GetConsoleAliasExesLengthW, GetSystemTimeAdjustment, WriteConsoleOutputA, HeapDestroy, GetFileAttributesA, GetBinaryTypeA, GetModuleFileNameW, GetNumaNodeProcessorMask, GetStdHandle, GetLastError, GetProcAddress, SearchPathA, LoadLibraryA, LocalAlloc, MoveFileA, SetCommMask, CreatePipe, GetDefaultCommConfigA, FreeEnvironmentStringsW, BuildCommDCBA, FatalAppExitA, WriteConsoleOutputAttribute, SetCalendarInfoA, FindAtomW, DebugBreak, GlobalReAlloc, CopyFileExA, CloseHandle, WriteConsoleW, GetConsoleOutputCP, GetCommandLineW, HeapFree, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, VirtualAlloc, HeapReAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WriteFile, GetModuleFileNameA, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, SetFilePointer, GetConsoleCP, FlushFileBuffers, SetStdHandle, WriteConsoleA, CreateFileA
USER32.dll	GetUserObjectInformationW, SetFocus
ADVAPI32.dll	ObjectPrivilegeAuditAlarmA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T14:02:12.346757+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49705	188.114.96.3	443	TCP
2024-09-30T14:02:12.346757+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49705	188.114.96.3	443	TCP
2024-09-30T14:02:13.611130+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49706	172.67.129.166	443	TCP
2024-09-30T14:02:13.611130+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49706	172.67.129.166	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 14:02:10.649697065 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:10.649735928 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:10.649842024 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:10.651299953 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:10.651315928 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:11.119390965 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:11.119589090 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:11.124383926 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:11.124404907 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:11.124655962 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:11.212785006 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:11.914597034 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:11.914597034 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:11.914737940 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:12.346762896 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:12.346853018 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:12.349982977 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:12.357640028 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:12.357640982 CEST	49705	443	192.168.2.5	188.114.96.3
Sep 30, 2024 14:02:12.357661963 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:12.357672930 CEST	443	49705	188.114.96.3	192.168.2.5
Sep 30, 2024 14:02:12.493012905 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:12.493052959 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:12.493122101 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:12.493599892 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:12.493613958 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:12.965437889 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:12.965518951 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:13.153692007 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:13.153733015 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:13.154098988 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:13.158507109 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:13.159357071 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:13.159390926 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:13.611149073 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:13.611248016 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:13.611318111 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:13.611567974 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:13.611588001 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:13.611610889 CEST	49706	443	192.168.2.5	172.67.129.166
Sep 30, 2024 14:02:13.611618042 CEST	443	49706	172.67.129.166	192.168.2.5
Sep 30, 2024 14:02:13.675122976 CEST	49707	443	192.168.2.5	104.102.49.254
Sep 30, 2024 14:02:13.675175905 CEST	443	49707	104.102.49.254	192.168.2.5
Sep 30, 2024 14:02:13.675302982 CEST	49707	443	192.168.2.5	104.102.49.254
Sep 30, 2024 14:02:13.675693035 CEST	49707	443	192.168.2.5	104.102.49.254
Sep 30, 2024 14:02:13.675709963 CEST	443	49707	104.102.49.254	192.168.2.5
Sep 30, 2024 14:02:14.228503942 CEST	49707	443	192.168.2.5	104.102.49.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 14:02:10.615513086 CEST	60279	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:10.634154081 CEST	53	60279	1.1.1.1	192.168.2.5
Sep 30, 2024 14:02:12.392642975 CEST	61062	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:12.402951002 CEST	53	61062	1.1.1.1	192.168.2.5
Sep 30, 2024 14:02:12.416352034 CEST	58417	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:12.427150965 CEST	53	58417	1.1.1.1	192.168.2.5
Sep 30, 2024 14:02:12.450824022 CEST	52731	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:12.460745096 CEST	53	52731	1.1.1.1	192.168.2.5
Sep 30, 2024 14:02:12.464606047 CEST	51085	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:12.489597082 CEST	53	51085	1.1.1.1	192.168.2.5
Sep 30, 2024 14:02:13.615426064 CEST	52417	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:13.626344919 CEST	53	52417	1.1.1.1	192.168.2.5
Sep 30, 2024 14:02:13.629196882 CEST	52138	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:13.638055086 CEST	53	52138	1.1.1.1	192.168.2.5
Sep 30, 2024 14:02:13.640779018 CEST	54596	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:13.649822950 CEST	53	54596	1.1.1.1	192.168.2.5
Sep 30, 2024 14:02:13.652235031 CEST	59778	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:13.662247896 CEST	53	59778	1.1.1.1	192.168.2.5
Sep 30, 2024 14:02:13.664483070 CEST	56626	53	192.168.2.5	1.1.1.1
Sep 30, 2024 14:02:13.674236059 CEST	53	56626	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 14:02:10.615513086 CEST	192.168.2.5	1.1.1.1	0x8c6c	Standard query (0)	diskegraciw.online	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:12.392642975 CEST	192.168.2.5	1.1.1.1	0xb0b6	Standard query (0)	famikyjdiag.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:12.416352034 CEST	192.168.2.5	1.1.1.1	0x1a84	Standard query (0)	possiwreeste.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:12.450824022 CEST	192.168.2.5	1.1.1.1	0xe2dd	Standard query (0)	commandejorsk.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:12.464606047 CEST	192.168.2.5	1.1.1.1	0x9fee	Standard query (0)	underlinemdsj.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.615426064 CEST	192.168.2.5	1.1.1.1	0xa03f	Standard query (0)	bellykmrebk.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.629196882 CEST	192.168.2.5	1.1.1.1	0xeaa0	Standard query (0)	agentyanlark.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.640779018 CEST	192.168.2.5	1.1.1.1	0xf604	Standard query (0)	writekdmsnu.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.652235031 CEST	192.168.2.5	1.1.1.1	0x94b3	Standard query (0)	delaylacedmn.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.664483070 CEST	192.168.2.5	1.1.1.1	0x8635	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 14:02:10.634154081 CEST	1.1.1.1	192.168.2.5	0x8c6c	No error (0)	diskegraciw.online		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:10.634154081 CEST	1.1.1.1	192.168.2.5	0x8c6c	No error (0)	diskegraciw.online		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:12.402951002 CEST	1.1.1.1	192.168.2.5	0xb0b6	Name error (3)	famikyjdiag.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:12.427150965 CEST	1.1.1.1	192.168.2.5	0x1a84	Name error (3)	possiwreeste.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:12.460745096 CEST	1.1.1.1	192.168.2.5	0xe2dd	Name error (3)	commandejorsk.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:12.489597082 CEST	1.1.1.1	192.168.2.5	0x9fee	No error (0)	underlinemdsj.site		172.67.129.166	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:12.489597082 CEST	1.1.1.1	192.168.2.5	0x9fee	No error (0)	underlinemdsj.site		104.21.1.169	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.626344919 CEST	1.1.1.1	192.168.2.5	0xa03f	Name error (3)	bellykmrebk.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.638055086 CEST	1.1.1.1	192.168.2.5	0xeaa0	Name error (3)	agentyanlark.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.649822950 CEST	1.1.1.1	192.168.2.5	0xf604	Name error (3)	writekdmsnu.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.662247896 CEST	1.1.1.1	192.168.2.5	0x94b3	Name error (3)	delaylacedmn.site	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 14:02:13.674236059 CEST	1.1.1.1	192.168.2.5	0x8635	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

diskegraciw.online

underlinemdsj.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	188.114.96.3	443	320	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:02:11 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: diskegraciw.online
2024-09-30 12:02:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-30 12:02:12 UTC	774	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 12:02:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hon1n0ue4s9nicm4ma0cpcvkgb; expires=Fri, 24 Jan 2025 05:48:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kzni7LBnfarj26fNsk6taOuHeaPyaxDstuvmsY88VCDVwXE2%2FY6OL%2BTt2KGpdH1m0cByIlv3FujJWNJjvBcgAaHHBQtMYZjKftLx8B%2Fy56qRsTzNwgijLWNvldSQv6OwLdFYk%2F4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb41008ca140f85-EWR
2024-09-30 12:02:12 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-30 12:02:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	172.67.129.166	443	320	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 12:02:13 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: underlinemdsj.site
2024-09-30 12:02:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-30 12:02:13 UTC	772	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 12:02:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=djfbmom8j9j090pobusrr80mqb; expires=Fri, 24 Jan 2025 05:48:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BbscIthnAkY063vqePkeY8DOMmF90UqLcO22EdJquk8%2BZVWZFMvGAKozbl1ktA%2FAsHzJJdcuHI0fzfguNZD%2FV9VcenBnGifGQcFJCAaOMp2LvmdPAxwQmYALCg9YTx3YczAlIMQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb410108ec24402-EWR
2024-09-30 12:02:13 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-30 12:02:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:02:01
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	379'392 bytes
MD5 hash:	245F52E7267EF7042583D20B32023967
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2424482575.000000000062E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:02:06
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 564
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:02:07
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 628
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:02:08
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 636
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:02:09
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 664
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:02:10
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1088
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:02:11
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 884
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:02:13
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1668
Imagebase:	0x760000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	29.5%
Signature Coverage:	51.6%
Total number of Nodes:	95
Total number of Limit Nodes:	12

Executed Functions

Function 0040FEA0 Relevance: 14.4, Strings: 11, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-g.e, xrefs: 004108C0
+w#u, xrefs: 004108A4
-{(y, xrefs: 004108AB
a#B!, xrefs: 00410849
!, xrefs: 00410160
vA, xrefs: 004107EE
WU, xrefs: 004100B6
*, xrefs: 0041017E
c;j9, xrefs: 0041083B
|/s-, xrefs: 0041085E
j?n=, xrefs: 00410842

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: *$+w#u$-g.e$-{(y$a#B!$c;j9$j?n=$vA$|/s-$WU$!
API String ID: 0-1787053657
Opcode ID: c13be54020f41ce89dab5dc43ca08c7f796e33f7d12026ab39e084d4114764ea
Instruction ID: c2bb247bafdb7313821d879b64bda63368b080b473f309f5bbc30140614eceec
Opcode Fuzzy Hash: c13be54020f41ce89dab5dc43ca08c7f796e33f7d12026ab39e084d4114764ea
Instruction Fuzzy Hash: F25223B8101B44CFD3208F25D985B9BBBF1FB45304F108A2DE5AA9BA90D7B4A449CF95

Function 0040F242 Relevance: 11.9, Strings: 9, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

s!s#, xrefs: 0040F510
o9h;, xrefs: 0040F502
|s, xrefs: 0040F4AE
}%v', xrefs: 0040F56A
m5o7, xrefs: 0040F4FB
}%v', xrefs: 0040F517
h=m?, xrefs: 0040F509
x)*+, xrefs: 0040F51E
a1c3, xrefs: 0040F4F4

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: a1c3$h=m?$m5o7$o9h;$s!s#$x)*+$|s$}%v'$}%v'
API String ID: 0-3183375410
Opcode ID: 024ef0da4a596ea164a11865650f69faa876bc17e72d013c950936e6cad53d2c
Instruction ID: ab31153b6aecb880430fb79f64d743cd69268ca503e92c45a0fdefa4ad8a0f35
Opcode Fuzzy Hash: 024ef0da4a596ea164a11865650f69faa876bc17e72d013c950936e6cad53d2c
Instruction Fuzzy Hash: E712CF75904254CFCB24CFA4D8906ADBBB1FF4A314F28447ED845BB792D33A984ACB58

Function 004109FD Relevance: 10.1, Strings: 8, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-g.e, xrefs: 004108C0
+w#u, xrefs: 004108A4
-{(y, xrefs: 004108AB
a#B!, xrefs: 00410849
vA, xrefs: 004107EE
c;j9, xrefs: 0041083B
|/s-, xrefs: 0041085E
j?n=, xrefs: 00410842

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: +w#u$-g.e$-{(y$a#B!$c;j9$j?n=$vA$|/s-
API String ID: 0-3368389427
Opcode ID: 7cdf59660103e34530295848d8297454cd7db00b4eee7c08d484b65ddcde7457
Instruction ID: ef5da5caff501121846a183971fce4e3a24f1d29a4bd3fd26003c313b652faee
Opcode Fuzzy Hash: 7cdf59660103e34530295848d8297454cd7db00b4eee7c08d484b65ddcde7457
Instruction Fuzzy Hash: 26511DB8801B44CFD320DF65D58579BBAF1BB11300F508A0DE5AA6BB90D7B4A049CF9A

Function 00446C3F Relevance: 7.9, Strings: 6, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4`[b, xrefs: 004470A0
%sgh, xrefs: 00446E10
@, xrefs: 00446CBB
;tD, xrefs: 004475A0
bkji, xrefs: 00446F7B, 00446F53, 00446F5B
bkji, xrefs: 00447092, 00446FEF

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %sgh$4`[b$;tD$@$bkji$bkji
API String ID: 0-2268879959
Opcode ID: 94df2760f8db060c208eec00ee275b17ceaeda88ae7b023788925bbd64218746
Instruction ID: 3f5a3689fe6e23831503edc09df9701b4f8abac82631b9520675ae7212839888
Opcode Fuzzy Hash: 94df2760f8db060c208eec00ee275b17ceaeda88ae7b023788925bbd64218746
Instruction Fuzzy Hash: 87D17B7560C3419BE700DF24D890B2EBBE5EF8630AF55882DE1C58B2A2D339D855CB5B

Function 0040F940 Relevance: 5.4, Strings: 4, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(+, xrefs: 0040FC95
,S, xrefs: 0040FAEC
hl`b, xrefs: 0040F952
abv>, xrefs: 0040F983, 0040F98B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ,S$abv>$hl`b$(+
API String ID: 0-1477408855
Opcode ID: 72ac0c004794a08c95aa35a317ae4500911b9d1d818d48228cf010c78f30d133
Instruction ID: 9f817a8e2a67d5e9bb77a4aa321ba27626eab226e45f4db4f393a7a4b5a1abac
Opcode Fuzzy Hash: 72ac0c004794a08c95aa35a317ae4500911b9d1d818d48228cf010c78f30d133
Instruction Fuzzy Hash: 1DD15A7050C3848BD321DF18D494A2FBBE1AF92744F14093EE4D5AB792D33AD949CB9A

Function 00446BB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044A35D,005C003F,00000006,?,?,00000018,;:54,?,?), ref: 00446BDE

Strings

;:54, xrefs: 00446BB0, 00446BCC, 00446BDA

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54
API String ID: 2994545307-2887251705
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0062F1E6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0062F20E
Module32First.KERNEL32(00000000,00000224), ref: 0062F22E

Memory Dump Source

Source File: 00000000.00000002.2424482575.000000000062E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0062E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62e000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: f36119786e5e17766e3c0441e83158298377aac352fbd98a13da180b6059a2d0
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 18F0C236501B20ABE7203BF4B88CBAA76F9AF5A324F10013CE642D15C0CAB0ED458E61

Function 0044A610 Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;:54, xrefs: 0044A644, 0044A64D

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: 5631d567d11453a6109dcff4ad7cc3bee237fea7f6fd986a06632eafa227ce3b
Instruction ID: 882643b4eb6ca10f8686816ed560115293d3e2a899ffd47342a0d4b0e7199bb1
Opcode Fuzzy Hash: 5631d567d11453a6109dcff4ad7cc3bee237fea7f6fd986a06632eafa227ce3b
Instruction Fuzzy Hash: 14418074248300ABE7249F15D990B2FB7B6EB85715F18882EF5C587252D339EC21CB6B

Function 00410A14 Relevance: .7, Instructions: 731COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b8c6c1c0ad7b8407c0d06a4eeeb17eaaf0200cd1bee2cbab323eda1072f713
Instruction ID: 1ba0488450753c04a73f7314cc371f13e839d3e33e891539d3f436e863efcac3
Opcode Fuzzy Hash: 73b8c6c1c0ad7b8407c0d06a4eeeb17eaaf0200cd1bee2cbab323eda1072f713
Instruction Fuzzy Hash: 094299B4909245DFD7018F64D880BAFBBB5FF8A305F14486DF5819B261C379D880CBAA

Function 0040ED69 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af35127cc1491bfc61b17fa5ba87654075c7ae562b45c20c3b4bab04c1f43731
Instruction ID: 9edcf4d25f74866ae39aa047a6d5692af398919683ba0a025143113fbbde7ae8
Opcode Fuzzy Hash: af35127cc1491bfc61b17fa5ba87654075c7ae562b45c20c3b4bab04c1f43731
Instruction Fuzzy Hash: 40C04C75D44218ABCB109FD4DC44BEDF7B9EB0F211F142420F518F3150D670D4408B18

Function 0218003C Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0218024D

Strings

cess, xrefs: 0218018D
kernel32.dll, xrefs: 0218008F, 02180095
D$D, xrefs: 021808CA

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: D$D$cess$kernel32.dll
API String ID: 4275171209-2168437553
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 5783bce6cd5ccce51b09679f3e05ee428f2a6a4bdf07989417e0223f411b94f1
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B9526A75A01229DFDB64CF58C984BACBBB1BF09304F1580D9E94DAB351DB30AA89CF14

Function 0040D1B0 Relevance: 6.2, APIs: 4, Instructions: 168
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040D1C1
GetCurrentThreadId.KERNEL32 ref: 0040D1D6
GetCurrentProcessId.KERNEL32 ref: 0040D1DC
ExitProcess.KERNEL32 ref: 0040D3B0

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID:
API String ID: 1029096631-0
Opcode ID: c0e1b895e2e72f73dc8955270e6ecdde58eb03a2be26a69b02c4ddbf36745924
Instruction ID: cef429908aa3f9a371f43fe30aad8a3e1bbd179f5a8d92ac8e9d07c1c392d4d2
Opcode Fuzzy Hash: c0e1b895e2e72f73dc8955270e6ecdde58eb03a2be26a69b02c4ddbf36745924
Instruction Fuzzy Hash: 4D41387490C380ABD301BFA9D544A1EFFE5AF52709F148D6DE5C4A7292C33AC8148B6B

Function 00443D70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00443DC7

Strings

;:9, xrefs: 00443D93, 00443D9B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID: ;:9
API String ID: 1279760036-2043501942
Opcode ID: b0a2b385c493f2e05ed0f16342a373650e8d6b78ba81928787c921c82ab7b483
Instruction ID: 3614878b22931f63ccd83f747bb93377d8c2420df51822dec7133d9b7ce95dac
Opcode Fuzzy Hash: b0a2b385c493f2e05ed0f16342a373650e8d6b78ba81928787c921c82ab7b483
Instruction Fuzzy Hash: 6EF0177450C240ABE201AF18D944A1EFBE5EB56B05F44882DE4C597352C236D824CB57

Function 02180E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02180223,?,?), ref: 02180E19
SetErrorMode.KERNELBASE(00000000,?,?,02180223,?,?), ref: 02180E1E

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: a846ea09069fb0ff73c478be89de1126635b9151421e274922989b7d7294ded1
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 94D0123214512C77D7003A94DC09BCE7B1CDF09B66F108011FB0DD9080C770954046E5

Function 00443DE0 Relevance: 1.5, APIs: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00443E53

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c51c400c6a17806a49d266ab07ccd44f8f0e899916b432d7c6c93a4536d318f1
Instruction ID: c100f27477890f830ed4a8073daf1caf7dd598550ae5831fd290d4e8889c83d3
Opcode Fuzzy Hash: c51c400c6a17806a49d266ab07ccd44f8f0e899916b432d7c6c93a4536d318f1
Instruction Fuzzy Hash: CAF03C34909241EBD701AF18E945A0EBBE5EF56B06F158C2DE4C49B261C239DC64CBAA

Function 0062EEA5 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0062EEF6

Memory Dump Source

Source File: 00000000.00000002.2424482575.000000000062E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0062E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62e000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 4a38bb8bce7da304850fa742579b45be7770502236634f4226426976f086118f
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E1113C79A00208EFDB01DF98CA85E98BBF5EF08750F0580A4F9489B362D371EA50DF80

Non-executed Functions

Function 0042DB00 Relevance: 32.3, APIs: 2, Strings: 16, Instructions: 806COMMON

Download Yara Rule

Strings

qB, xrefs: 0042E96B
8_8Q, xrefs: 0042E5FE
)O?A, xrefs: 0042E5DE
?G?Y, xrefs: 0042E5EE
4`[b, xrefs: 0042E490
P?[1, xrefs: 0042E633, 0042E63B
>C$E, xrefs: 0042E5E6
1K&M, xrefs: 0042E5D6
"B, xrefs: 0042E515
B, xrefs: 0042EBE8
A3L5, xrefs: 0042E5C6
B, xrefs: 0042E7DB, 0042EC80, 0042F00D
f[,], xrefs: 0042E5F6
4`[b, xrefs: 0042EC60
R7MI, xrefs: 0042E5CE
PS, xrefs: 0042E606

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "B$)O?A$1K&M$4`[b$4`[b$8_8Q$>C$E$?G?Y$A3L5$P?[1$PS$R7MI$f[,]$qB$B$B
API String ID: 0-2207453258
Opcode ID: 4945f131cbcd63178f50a791d1600bd3529e92cfb1c3789f1156e4ce500b8d4d
Instruction ID: b527049b1f04bed8db2febbcc069cccee7980657cecff28908646a30116e1527
Opcode Fuzzy Hash: 4945f131cbcd63178f50a791d1600bd3529e92cfb1c3789f1156e4ce500b8d4d
Instruction Fuzzy Hash: 3C4210B1608305DFD314DF29E89062FBBE1FB9A305F44492DE5848B3A2E774D805CB9A

Function 00433240 Relevance: 20.3, APIs: 1, Strings: 10, Instructions: 1011COMMON

Download Yara Rule

Strings

av%, xrefs: 0043326A
?;2, xrefs: 00433445
4_2], xrefs: 00433F8A
GD, xrefs: 004332EE
2.%1, xrefs: 00433413
-6, xrefs: 004333A5
iJIQ, xrefs: 004339F8
(\QQ, xrefs: 00433314
C+N), xrefs: 00433F58
NREH, xrefs: 004337E3

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: av%$(\QQ$2.%1$4_2]$?;2$C+N)$GD$NREH$iJIQ$-6
API String ID: 0-2209209854
Opcode ID: 3dea97e05e88cb0162a67cab6b3455c4048c2d6602de325be8b757f4bce8188f
Instruction ID: 409dd95b141f07926cd205b7855d849f23a46d072771003b431955ec9f8a7ea4
Opcode Fuzzy Hash: 3dea97e05e88cb0162a67cab6b3455c4048c2d6602de325be8b757f4bce8188f
Instruction Fuzzy Hash: 41826970405B818ED7218F35C4907A3FBE0AF1B306F58695ED4EB9B282D739A605CF69

Function 0041FB39 Relevance: 17.4, Strings: 13, Instructions: 1195COMMON

Download Yara Rule

Strings

qo, xrefs: 0041FBDB
URSP, xrefs: 004202E6
A^_\, xrefs: 004202C5
TWVQ, xrefs: 004205C6
L, xrefs: 00420608
$'&!, xrefs: 0042059A
<E:G, xrefs: 00420DCB
Q=A?, xrefs: 00420DB5
yw, xrefs: 0041FBC5
@A, xrefs: 00420DD6
LTI, xrefs: 00420542
X[ZE, xrefs: 004205E7
, xrefs: 0041FD80, 0041FE70, 0041FE37, 0041FD47, 0041FD56, 0041FE46

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: $'&!$<E:G$@A$A^_\$L$LTI$Q=A?$TWVQ$URSP$X[ZE$qo$yw$
API String ID: 0-2229384479
Opcode ID: 3686f5bc4b348d2d26c09967f31526b0b7d09be7330fbf0dcdca5f559d9bc543
Instruction ID: ade82052f7034141f3486747ce71b63ff0a93d90754f62eeb3371bc372faa748
Opcode Fuzzy Hash: 3686f5bc4b348d2d26c09967f31526b0b7d09be7330fbf0dcdca5f559d9bc543
Instruction Fuzzy Hash: 1EA2ACB46083809FE730CF11D881BABBBE1EFC5344F54492EE5C98B252DB799845CB5A

Function 00440118 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00440149
SysStringLen.OLEAUT32(?), ref: 004401FA
VariantClear.OLEAUT32 ref: 00440392

Strings

/.-,, xrefs: 004405E3, 004405EB
/.-,, xrefs: 00440693, 0044069B
4`[b, xrefs: 004406D0

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearInitString
String ID: /.-,$/.-,$4`[b
API String ID: 825681660-3655442430
Opcode ID: 74fa93fe1aa01fc7789c4b564c888145abc275ceb45d1c9a3e570741ec2b6672
Instruction ID: a146195070703f8030d25863cbf2834a15c96a942167813edb38b99b85ca9f11
Opcode Fuzzy Hash: 74fa93fe1aa01fc7789c4b564c888145abc275ceb45d1c9a3e570741ec2b6672
Instruction Fuzzy Hash: C6F1FEB2608301DFE300DF24E88172EB7E1FB89346F14492DE58197392D739E921CB5A

Function 0041E85A Relevance: 13.3, Strings: 10, Instructions: 773COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041E9A0
43!=, xrefs: 0041ED97
4`[b, xrefs: 00421380
2+/&, xrefs: 0041ED81
4`[b, xrefs: 004212C0
));:, xrefs: 0041ED76
9&=V, xrefs: 0041EDA2
XZ, xrefs: 0041EC3C
>&0N, xrefs: 0041ED8C
, xrefs: 00421369, 00421327, 004212A9, 00421267, 0041E989, 0041E947, 0041E956, 00421276, 00421336

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ));:$2+/&$43!=$4`[b$4`[b$4`[b$9&=V$>&0N$XZ$
API String ID: 0-801546609
Opcode ID: 48ab01e73fdbd6b2dce21db729467f16be9cdb8baeaf6a8ce1db0b34eeda6029
Instruction ID: 783a83c4c7002f34e80161bbf1eb2366d8f674cc96a2253d44dc20155df269f7
Opcode Fuzzy Hash: 48ab01e73fdbd6b2dce21db729467f16be9cdb8baeaf6a8ce1db0b34eeda6029
Instruction Fuzzy Hash: 7A42ABB55093809FE770CF24D891BEFBBE2AB85305F54092DE4C987352DB369891CB4A

Function 0041E900 Relevance: 13.1, Strings: 10, Instructions: 638COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041E9A0
43!=, xrefs: 0041ED97
4`[b, xrefs: 00421380
2+/&, xrefs: 0041ED81
4`[b, xrefs: 004212C0
));:, xrefs: 0041ED76
9&=V, xrefs: 0041EDA2
XZ, xrefs: 0041EC3C
>&0N, xrefs: 0041ED8C
, xrefs: 00421369, 00421327, 004212A9, 00421267, 0041E989, 0041E947, 0041E956, 00421276, 00421336

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ));:$2+/&$43!=$4`[b$4`[b$4`[b$9&=V$>&0N$XZ$
API String ID: 0-801546609
Opcode ID: cab73bcaef6991c62f1e654993cf0cfb54ad59c0c6f8896c587ea773f9eaa2d7
Instruction ID: 062afb2aaea30a15cde8f8ba60e72c14b850b42667b1157ee78ddc04b4dd17a7
Opcode Fuzzy Hash: cab73bcaef6991c62f1e654993cf0cfb54ad59c0c6f8896c587ea773f9eaa2d7
Instruction Fuzzy Hash: AA2268B45093808FE770CF25D890BEFBBE2ABC5315F54492DE4C987261DB369890CB56

Function 00410E90 Relevance: 13.0, Strings: 10, Instructions: 459COMMON

Download Yara Rule

Strings

q!r#, xrefs: 00410F00
?m0o, xrefs: 00410FAC
iAbC, xrefs: 00410F49
z-~/, xrefs: 00410F08
s)+, xrefs: 00410F10
+U?W, xrefs: 00410F18
9e5g, xrefs: 00410F96
?a4c, xrefs: 00410FA1
y-{, xrefs: 00410F8B
HiBk, xrefs: 00410FB7

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: +U?W$9e5g$?a4c$?m0o$HiBk$iAbC$q!r#$s)+$z-~/$y-{
API String ID: 0-1667213943
Opcode ID: 94c7e916e61dbc1aef4b9996d49d202b70f6ccaffbb7d239b9fddca910e7af78
Instruction ID: db61fb89cbf57355de25a26b7224b8c415fa403fbe1b062cd5e3585aaa356518
Opcode Fuzzy Hash: 94c7e916e61dbc1aef4b9996d49d202b70f6ccaffbb7d239b9fddca910e7af78
Instruction Fuzzy Hash: B80253B410D380AFD3609F15D884B6FBBF5AB86744F50882DF6D88B261C7798844CF5A

Function 0042CEC0 Relevance: 12.9, Strings: 10, Instructions: 425COMMON

Download Yara Rule

Strings

c/g-, xrefs: 0042CF4F
cS'Q, xrefs: 0042CF57
/.-,, xrefs: 0042D3C4, 0042D3CD
$W U, xrefs: 0042CF5F
w1u, xrefs: 0042CF9F
4`[b, xrefs: 0042D320
4`[b, xrefs: 0042D400
X+\), xrefs: 0042D101, 0042D0D4, 0042D0DD, 0042D10B
+[&Y, xrefs: 0042CF67
=O?M, xrefs: 0042CF8F

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: w1u$$W U$+[&Y$/.-,$4`[b$4`[b$=O?M$X+\)$c/g-$cS'Q
API String ID: 0-1896435338
Opcode ID: f3b20549ed32967fa41e0b770e14c0a9f1733105eacce4aad3a787895fa9273f
Instruction ID: b05090eb9a83177901ea3704caff3b2f9a6eb8352bc78c1fc5c7ecac0665f33e
Opcode Fuzzy Hash: f3b20549ed32967fa41e0b770e14c0a9f1733105eacce4aad3a787895fa9273f
Instruction Fuzzy Hash: 7CE188B5608341DBE320DF24E881B2BBBF5FB86345F50482EF58487262D779E854CB1A

Function 00428FF0 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 460COMMON

Download Yara Rule

Strings

W'Y, xrefs: 004295BB
qo, xrefs: 00429476
~F, xrefs: 0042946E
aq, xrefs: 00429466
;{}, xrefs: 00429015
`8, xrefs: 0042945E

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ;{}$`8$aq$qo$~F$W'Y
API String ID: 0-4060129118
Opcode ID: bc58df64a225dbae0f541f826bf52a928db0aafb00a4db3f32ea25c37ab8fdb0
Instruction ID: 8b9829fc2b4919bb135ab6d18dd40f8c546e063c63e9033c8f6ca4485ea100bc
Opcode Fuzzy Hash: bc58df64a225dbae0f541f826bf52a928db0aafb00a4db3f32ea25c37ab8fdb0
Instruction Fuzzy Hash: 07023FB4208340ABD310DF55E980A2FBBF4EB96B49F40491DF4C99B252D339D905CBAB

Function 00422260 Relevance: 11.6, Strings: 9, Instructions: 387COMMON

Download Yara Rule

Strings

/]([, xrefs: 00422313
\9b7, xrefs: 00422373, 0042237B
9E0C, xrefs: 00422303
xY9W, xrefs: 0042231B
de, xrefs: 00422343
Q1:O, xrefs: 004222EB
r&B, xrefs: 0042266C
G5M3, xrefs: 004222E3
HI, xrefs: 00422517

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: /]([$9E0C$G5M3$HI$Q1:O$\9b7$de$r&B$xY9W
API String ID: 0-509952333
Opcode ID: eab2989d5c1ca6d9895e3b8815c2bec9bb0e9353bd6588a293385eb12087281d
Instruction ID: b20ecfa1218eb78e5202d0c738cbeec8428151f5f79ed63716bde37511c93a69
Opcode Fuzzy Hash: eab2989d5c1ca6d9895e3b8815c2bec9bb0e9353bd6588a293385eb12087281d
Instruction Fuzzy Hash: 5EA1A970108350ABC720EF18D891B2BB7F0EF91354F94894DE8D58B3A1E779D941CB6A

Function 00430810 Relevance: 10.7, Strings: 8, Instructions: 708COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00430E80
4`[b, xrefs: 00430B50
VQgi, xrefs: 00430F5F
SV, xrefs: 00430F87
uvw, xrefs: 00430995
z, xrefs: 00430BA7
`h] , xrefs: 00430F6F
m1s3, xrefs: 004309C3, 004309CB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$SV$VQgi$`h] $m1s3$z$uvw
API String ID: 0-1570870778
Opcode ID: 6940bd77cd7df20c8438f87061f6af86a247c2cf395d55d692572ee4ab0c75c3
Instruction ID: 660509b604085e1a0b105996a5aed58a7c6aa5aa991dfcfa3e2d42d2c1c515d0
Opcode Fuzzy Hash: 6940bd77cd7df20c8438f87061f6af86a247c2cf395d55d692572ee4ab0c75c3
Instruction Fuzzy Hash: 4F42DDB1508340DFD310EF25D991A2BBBE1AF8A309F144A6EF5C497352D379E904CB5A

Function 021A24C7 Relevance: 10.4, Strings: 8, Instructions: 387COMMON

Download Yara Rule

Strings

xY9W, xrefs: 021A2582
Q1:O, xrefs: 021A2552
9E0C, xrefs: 021A256A
HI, xrefs: 021A277E
\9b7, xrefs: 021A25DA, 021A25E2
/]([, xrefs: 021A257A
de, xrefs: 021A25AA
G5M3, xrefs: 021A254A

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: /]([$9E0C$G5M3$HI$Q1:O$\9b7$de$xY9W
API String ID: 0-328433602
Opcode ID: 3968db63e622d76c4d8b1267648677d257e2c4e1a9c96da7c52ec120136ecb8c
Instruction ID: ce67cada1580712357be4ec087f1f41148d6b4c4501486ef4aa18c346f3797a8
Opcode Fuzzy Hash: 3968db63e622d76c4d8b1267648677d257e2c4e1a9c96da7c52ec120136ecb8c
Instruction Fuzzy Hash: 3AA1BDB84483408BC721DF18C8A1B6AB7F1FF95754F18894CE8D58B391E73AD901CBA2

Function 021907D6 Relevance: 10.2, Strings: 8, Instructions: 187COMMON

Download Yara Rule

Strings

-g.e, xrefs: 02190B27
c;j9, xrefs: 02190AA2
a#B!, xrefs: 02190AB0
+w#u, xrefs: 02190B0B
vA, xrefs: 02190A55
|/s-, xrefs: 02190AC5
-{(y, xrefs: 02190B12
j?n=, xrefs: 02190AA9

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: +w#u$-g.e$-{(y$a#B!$c;j9$j?n=$vA$|/s-
API String ID: 0-3368389427
Opcode ID: e922b25acc6cb4d9564eb28686b6f09cec36217e488d3db2b3fd9198ef960518
Instruction ID: 441638e849de6aff131325328908e37710f8d76c2559af20f16d05861d681722
Opcode Fuzzy Hash: e922b25acc6cb4d9564eb28686b6f09cec36217e488d3db2b3fd9198ef960518
Instruction Fuzzy Hash: 7EB1DCB8401B44CFE720DF66D585B9ABBF1BB11600F509A0CE5AA6BB50D770A045CF96

Function 00434136 Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1039COMMON

Download Yara Rule

Strings

cos`, xrefs: 00434B1D
QYMA, xrefs: 00434173
jXJ,, xrefs: 00434A1B
34t, xrefs: 00434D30

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 34t$QYMA$cos`$jXJ,
API String ID: 0-3026627037
Opcode ID: f8b66ab7bb3bfb9fc8db50659caa218e70da8c2d83bc6d0a9692e9b00dccea9c
Instruction ID: cdedb0f16f626838ad45ab5571db02497c84d10fb9eeda8d87be13f06e05827c
Opcode Fuzzy Hash: f8b66ab7bb3bfb9fc8db50659caa218e70da8c2d83bc6d0a9692e9b00dccea9c
Instruction Fuzzy Hash: E482CB70504B808FD726CF35C4907A7BBE1AF4A304F58996ED5EA8B692CB39F505CB18

Function 00439D70 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00439D94
GetWindowLongW.USER32 ref: 00439DC3
GetClipboardData.USER32 ref: 00439DD6
CloseClipboard.USER32 ref: 00439ED9

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: bd733db51de7a274a1ea2e485793d498a05ca025b0381db77358d02ebdc330fd
Instruction ID: f8eb7662055ae418468e5478b484177f75bb97afe56f8083e02c4ac8d2d6a6c6
Opcode Fuzzy Hash: bd733db51de7a274a1ea2e485793d498a05ca025b0381db77358d02ebdc330fd
Instruction Fuzzy Hash: 7041C5749087818FD711AB7CC84A26EBFA0AF56320F048A6DE4E6873D1D2789855C7A7

Function 00434060 Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 959COMMON

Download Yara Rule

Strings

cos`, xrefs: 00434B1D
jXJ,, xrefs: 00434A1B
34t, xrefs: 00434D30

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 34t$cos`$jXJ,
API String ID: 0-1477531880
Opcode ID: e6cf050e03f680f9534f78ef4aab8308371ff0f1078a72a46c214a2f3525f9ac
Instruction ID: 8753dea9b6e7294165946d73b9d4cbff6eac4e22efe94e5982482735d7dcf57e
Opcode Fuzzy Hash: e6cf050e03f680f9534f78ef4aab8308371ff0f1078a72a46c214a2f3525f9ac
Instruction Fuzzy Hash: A872CC70504B808FD7268F35C4907E3BBE1AF5A304F58986ED5EA8B692CB39F505CB58

Function 0218FBA7 Relevance: 7.9, Strings: 6, Instructions: 384COMMON

Download Yara Rule

Strings

(+, xrefs: 0218FEFC
abv>, xrefs: 0218FBEA, 0218FBF2
bME, xrefs: 0219004B
hl`b, xrefs: 0218FBB9
,S, xrefs: 0218FD53
bME, xrefs: 0219002E

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ,S$abv>$bME$bME$hl`b$(+
API String ID: 0-3251160802
Opcode ID: 624823effcec1ef7614e5d9d104bf47e30eaae647dea6767315c95f80a301d71
Instruction ID: d69d32486a33b0347014eb2ca8fec5f621fd44fa26d23fe68aef926d5343c480
Opcode Fuzzy Hash: 624823effcec1ef7614e5d9d104bf47e30eaae647dea6767315c95f80a301d71
Instruction Fuzzy Hash: EDD1867154C3808BC711EF288490A2EBBF5AF96748F68091CE4D59B352D336C94ACFA7

Function 02182528 Relevance: 7.8, Strings: 6, Instructions: 280COMMON

Download Yara Rule

Strings

A, xrefs: 021825C3
gfff, xrefs: 021826D9
gfff, xrefs: 02182690
gfff, xrefs: 0218263E
gfff, xrefs: 02182629
+, xrefs: 021825D8

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: +$A$gfff$gfff$gfff$gfff
API String ID: 0-3068076857
Opcode ID: 349bd8ef67bf192f55a0efaa05cb606c6f84454f28c8bcb1851f2ea413faf19b
Instruction ID: d3b86b7d5904ba01ecca11e179992d59445e552b3af44a81153bf27bd59ec46f
Opcode Fuzzy Hash: 349bd8ef67bf192f55a0efaa05cb606c6f84454f28c8bcb1851f2ea413faf19b
Instruction Fuzzy Hash: 3B91F072B487814FC309DE2DC8D036ABBE2AFD8214F19862DE995CB392D774D945CB42

Function 00401297 Relevance: 7.1, Strings: 5, Instructions: 831COMMON

Download Yara Rule

Strings

0, xrefs: 00402558
i, xrefs: 00402B2F
0, xrefs: 00401FF6
, xrefs: 00402168
0, xrefs: 004020C8

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$i$
API String ID: 0-2925056081
Opcode ID: 094a1ac18e31122ba7d82fad7b1910034111fb0287644e024bd69df5bcbd8dba
Instruction ID: abd9aba50732c5b9c3a899e943ff8a70eca27e932e739446308e31a65b42ea40
Opcode Fuzzy Hash: 094a1ac18e31122ba7d82fad7b1910034111fb0287644e024bd69df5bcbd8dba
Instruction Fuzzy Hash: CA62AD7160C3428FC318DF28C69472BBBE1ABD5344F148A2EE495A73D1D7B8D949CB86

Function 0218DCF7 Relevance: 6.5, Strings: 5, Instructions: 268COMMON

Download Yara Rule

Strings

PPaR, xrefs: 0218DFDD
ZS, xrefs: 0218DD5D
(_+X, xrefs: 0218DFE5
WX,3, xrefs: 0218DFED
RTjb, xrefs: 0218DFD5

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: (_+X$PPaR$RTjb$WX,3$ZS
API String ID: 0-863934208
Opcode ID: 3ddfa35f87954236f0c23a299fca66bb3b93060c60e7a05e05d5190dfb38f789
Instruction ID: 87743b4874205768522661759b628bc434f1ffec17c00739546721e90d115eab
Opcode Fuzzy Hash: 3ddfa35f87954236f0c23a299fca66bb3b93060c60e7a05e05d5190dfb38f789
Instruction Fuzzy Hash: 3DA156B014C3808FD3219F2995A0B2AFBE1AF92755F14899DE8E59B382C375C806CF53

Function 0040DA90 Relevance: 6.5, Strings: 5, Instructions: 268COMMON

Download Yara Rule

Strings

ZS, xrefs: 0040DAF6
WX,3, xrefs: 0040DD86
PPaR, xrefs: 0040DD76
(_+X, xrefs: 0040DD7E
RTjb, xrefs: 0040DD6E

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: (_+X$PPaR$RTjb$WX,3$ZS
API String ID: 0-863934208
Opcode ID: 3ddfa35f87954236f0c23a299fca66bb3b93060c60e7a05e05d5190dfb38f789
Instruction ID: d0cf81dbf9aa542438e21b9e093ff4536dfe669ed3218448f7505fd5c5da7706
Opcode Fuzzy Hash: 3ddfa35f87954236f0c23a299fca66bb3b93060c60e7a05e05d5190dfb38f789
Instruction Fuzzy Hash: EAA166B450C3808FD3218F5995A062BFBE1AF96745F54896EE4E49B382C379C809CB57

Function 021C4927 Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

0, xrefs: 021C4A8D
O[=F, xrefs: 021C49DF
_ZTn, xrefs: 021C49E7
, xrefs: 021C4B2D, 021C4B0A, 021C4B12
S]^Z, xrefs: 021C49D7

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$O[=F$S]^Z$_ZTn$
API String ID: 0-2719754397
Opcode ID: 72b795bcca4822e7cf92329e51dbb233330d133371685fdb0abc7184844f2b96
Instruction ID: fed0991a60c212d04f388c58cca05991726d0dc31979edc1a09ebf05fec85283
Opcode Fuzzy Hash: 72b795bcca4822e7cf92329e51dbb233330d133371685fdb0abc7184844f2b96
Instruction Fuzzy Hash: B38114B96483419FD728DF05D8A0B2ABBE6FFA9714F64481DF99587391C331E810CB92

Function 004446C0 Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

, xrefs: 004448C6, 004448A3, 004448AB
O[=F, xrefs: 00444778
0, xrefs: 00444826
S]^Z, xrefs: 00444770
_ZTn, xrefs: 00444780

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: 0$O[=F$S]^Z$_ZTn$
API String ID: 2994545307-2719754397
Opcode ID: 6025b61dd59e6360ea53f82e5307d2b81f0fce3acd2d188a90f594a6a7657a1a
Instruction ID: 313905893d1e1e7e0242f4a1edf30df717f4d78309ef6d6032eb1adb43791fd7
Opcode Fuzzy Hash: 6025b61dd59e6360ea53f82e5307d2b81f0fce3acd2d188a90f594a6a7657a1a
Instruction Fuzzy Hash: CC8114B8608340ABE714DF15D890B2BFBE5FB8A314F14481EF99587391C739E815CB96

Function 021814FE Relevance: 5.9, Strings: 4, Instructions: 945COMMON

Download Yara Rule

Strings

0, xrefs: 0218232F
0, xrefs: 021827BF
0, xrefs: 0218225D
i, xrefs: 02182D96

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$0$0$i
API String ID: 0-3333316649
Opcode ID: 637fd238475128122dba43368a2f42aa51ab3c75261021d03427150179f20968
Instruction ID: 36f5b2778918f87ec252c4f3a1652b2d72b1789b021f3a2d5bb2fe6266e0d756
Opcode Fuzzy Hash: 637fd238475128122dba43368a2f42aa51ab3c75261021d03427150179f20968
Instruction Fuzzy Hash: 7D72A0716483819FD31AEE28C4D076ABBE2AFC5308F18892DE8D987391D775D949CF42

Function 0042DBD5 Relevance: 5.5, Strings: 4, Instructions: 488COMMON

Download Yara Rule

Strings

0U, xrefs: 0042DC0A
Q34, xrefs: 0042DC12
END', xrefs: 0042DC2A
*F)", xrefs: 0042DC32

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: *F)"$0U$END'$Q34
API String ID: 0-484807741
Opcode ID: 6947439ce2a770810fac87f645673a2a4aadf96364a2cd933333a5574d7d2ca1
Instruction ID: 2d9c9b5bdf371bdc614e89d4fb155c3f311055695e7c9dcb6f8b99c6ec2a4304
Opcode Fuzzy Hash: 6947439ce2a770810fac87f645673a2a4aadf96364a2cd933333a5574d7d2ca1
Instruction Fuzzy Hash: ADF10DB1A08351DFC704CF25E84062BBBE1AF9A305F58486EF4C59B352D778E905CB8A

Function 0041F552 Relevance: 5.4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041FA40
, xrefs: 0041FA29, 0041F9E7, 0041F969, 0041F927, 0041F8A9, 0041F867, 0041F876, 0041F936, 0041F9F6
4`[b, xrefs: 0041F980
nInO, xrefs: 0041F657, 0041F666

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b$4`[b$nInO$
API String ID: 2994545307-1506492284
Opcode ID: 3065231b23380dae8df6ff952a9f52a90a3da71bd92ce920fb78ec851f738950
Instruction ID: 892bb54473547f6c3f17e525adf3228a4b55f96a76f350a56702ec2478476bef
Opcode Fuzzy Hash: 3065231b23380dae8df6ff952a9f52a90a3da71bd92ce920fb78ec851f738950
Instruction Fuzzy Hash: 1FC19AB45093809BE3349F10C861BEBB7F1BF89305F54092DE5CC9B291DB79A885CB5A

Function 0043A264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A29A
GetSystemMetrics.USER32 ref: 0043A2A9

Strings

, xrefs: 0043A354

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c21be9d2694e2b68cfdc32f4eb9cabf62df2482831049d53af685cbe19498bb9
Instruction ID: 03140c3d05d663704b6b564207b4e2a79db1268aa39735f2662102cdacc9f5c2
Opcode Fuzzy Hash: c21be9d2694e2b68cfdc32f4eb9cabf62df2482831049d53af685cbe19498bb9
Instruction Fuzzy Hash: 1E3191B49143008FDB00EF69E985A5EBBF4FB89314F11892DE498DB360D774A948CB96

Function 021C4DC7 Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 021C4E4D, 021C4E2A, 021C4E32
, xrefs: 021C5479, 021C544A, 021C50FD, 021C516F, 021C50DA, 021C5056, 021C502A, 021C5032, 021C50E2, 021C5173, 021C5452
f, xrefs: 021C4FED

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: f$$
API String ID: 0-2685584965
Opcode ID: 3e54a89e4051ecb3e9256b39faa63c931c8393d0ea62b94b4704fe0b12d7323e
Instruction ID: 58336e74151c46b75375f940cd3d3fa07057b9ffdfd34ce46c7183d481822e77
Opcode Fuzzy Hash: 3e54a89e4051ecb3e9256b39faa63c931c8393d0ea62b94b4704fe0b12d7323e
Instruction Fuzzy Hash: 5A12AE796483419FC714CF18C890A2EBBE6BFA9318F684A2DF4E597391D731E801CB52

Function 00444B60 Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 00444BE6, 00444BC3, 00444BCB
f, xrefs: 00444D86
, xrefs: 00445212, 004451E3, 00444E96, 00444F08, 00444E73, 00444DEF, 00444DC3, 00444DCB, 00444E7B, 00444F0C, 004451EB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: f$$
API String ID: 0-2685584965
Opcode ID: e5fe15bc993402b79ae6fd0a8e8267b10b88acd63cba0fd7997ff48647d14ee1
Instruction ID: 85f8fbffd657e1a2c41f7e50236ae4f37192d85f09d5935e236d51d05d68cbad
Opcode Fuzzy Hash: e5fe15bc993402b79ae6fd0a8e8267b10b88acd63cba0fd7997ff48647d14ee1
Instruction Fuzzy Hash: 7D12AA716083418FE715CF28C890B2BBBE6BBC9314F194A2EF49597392D739E805CB56

Function 021A2EF7 Relevance: 4.3, Strings: 3, Instructions: 528COMMON

Download Yara Rule

Strings

X, xrefs: 021A314D
hUVS, xrefs: 021A347B, 021A3484
{jhk, xrefs: 021A3446

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: X$hUVS${jhk
API String ID: 0-1700130621
Opcode ID: 3eb9ca0e086e855ee0f0e1a9410e62cf2e792a2d3de8b47a09f6f4c9021fd810
Instruction ID: aef0751d81dae66ace9bfa0508144d67f6d95d0a0dab7a9ceb350e48c79d0eb7
Opcode Fuzzy Hash: 3eb9ca0e086e855ee0f0e1a9410e62cf2e792a2d3de8b47a09f6f4c9021fd810
Instruction Fuzzy Hash: DE0279B5948380AFD3119B24C990B6FBBEAAFC5704F14885CF99897241D736ED09CB93

Function 00422C90 Relevance: 4.3, Strings: 3, Instructions: 528COMMON

Download Yara Rule

Strings

X, xrefs: 00422EE6
hUVS, xrefs: 00423214, 0042321D
{jhk, xrefs: 004231DF

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: X$hUVS${jhk
API String ID: 0-1700130621
Opcode ID: 3f4bcb633678015ddfdabc249f28c4bdf0efc2fe8b785642f4c930266efd323e
Instruction ID: 062697985ec5d3873608a8fe0e6609fabf76f2f58c76c371f68d1c8877fce24f
Opcode Fuzzy Hash: 3f4bcb633678015ddfdabc249f28c4bdf0efc2fe8b785642f4c930266efd323e
Instruction Fuzzy Hash: 4202ADB5608350ABD300DF21E981A1FBBE5AFC5708F54882EF98897242D339ED059B5B

Function 02183977 Relevance: 4.2, Strings: 3, Instructions: 439COMMON

Download Yara Rule

Strings

Inf, xrefs: 021839CE
|, xrefs: 02183C29
NaN, xrefs: 021839D5

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Inf$NaN$|
API String ID: 0-2466523057
Opcode ID: 0a4d66ac5d9a30818153c283b2145e03d9f631e7b0f4f484d42089034e9cbd65
Instruction ID: 448bb90974829ee7e8f51de08cc6b537a92ab0eda5473298ff7738694b042a32
Opcode Fuzzy Hash: 0a4d66ac5d9a30818153c283b2145e03d9f631e7b0f4f484d42089034e9cbd65
Instruction Fuzzy Hash: A5E1C472A047019BC718EF28C8C065AB7E2EBC4B54F198A6DF9A5D73A0E771DD41CB81

Function 00403710 Relevance: 4.2, Strings: 3, Instructions: 439COMMON

Download Yara Rule

Strings

NaN, xrefs: 0040376E
|, xrefs: 004039C2
Inf, xrefs: 00403767

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN$|
API String ID: 0-2466523057
Opcode ID: 0a4d66ac5d9a30818153c283b2145e03d9f631e7b0f4f484d42089034e9cbd65
Instruction ID: 8dff6c7b172047a2ae6ef76387c72cebf5739e0883bf045c6ae33580d9919b23
Opcode Fuzzy Hash: 0a4d66ac5d9a30818153c283b2145e03d9f631e7b0f4f484d42089034e9cbd65
Instruction Fuzzy Hash: A4E1C372B143019BC704DF28C88061BBBE5EBC4755F248A3EE895E73E5E675ED018B86

Function 021889B7 Relevance: 4.1, Strings: 3, Instructions: 393COMMON

Download Yara Rule

Strings

), xrefs: 02188A3D
), xrefs: 02188A33
IEND, xrefs: 02188E17

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: dd86e4ec7c6722b29d4f0d31880a0aa1a027174877f2f962a4df0946fdca47f1
Instruction ID: 5ccd55497df1714405c3bc80a0d93da524b2300a87b115d9c60cca9e9a929635
Opcode Fuzzy Hash: dd86e4ec7c6722b29d4f0d31880a0aa1a027174877f2f962a4df0946fdca47f1
Instruction Fuzzy Hash: EBE102B1A487059FD314EF28C88075ABBE1BF94304F154A2DE9989B380E776E915CFD2

Function 00408750 Relevance: 4.1, Strings: 3, Instructions: 393COMMON

Download Yara Rule

Strings

IEND, xrefs: 00408BB0
), xrefs: 004087D6
), xrefs: 004087CC

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: df4f626cf024e61cea9d74bb21ad584babb789d8ef152633e427089c5937cec4
Instruction ID: e201d24cd4307b6ffba764ff5e07ee633e22e8df84828d647ac8a2efaddb935f
Opcode Fuzzy Hash: df4f626cf024e61cea9d74bb21ad584babb789d8ef152633e427089c5937cec4
Instruction Fuzzy Hash: DEE1E0B1A087019BD310DF28D88175ABBE0BB84314F144A3EE9D9A73C1D779E915CBDA

Function 021C8EA7 Relevance: 4.1, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

oD, xrefs: 021C913C
kD, xrefs: 021C9127
P, xrefs: 021C904D

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: P$kD$oD
API String ID: 0-623137063
Opcode ID: 69a15b8950ccb6fdf57811abb1dc1c683e54b1e26c2dc2d4a35ef979296f89b2
Instruction ID: 0fd854728dfd18685dbac297f5dae0a6c2348a7ebf34f15000f80c37e1f8e7f2
Opcode Fuzzy Hash: 69a15b8950ccb6fdf57811abb1dc1c683e54b1e26c2dc2d4a35ef979296f89b2
Instruction Fuzzy Hash: 2EC1F2765083648FC315CE28C89076FB7E1EBD5718F258A2CE8A9AB3D0D775D805CB82

Function 00414D8D Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

*, xrefs: 00414F0B
oQA, xrefs: 00415169
H9, xrefs: 00414D8D

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: *$H9$oQA
API String ID: 0-3086764009
Opcode ID: f7f7aabd342a089234bc4a55029cea29a7f16f20146576aa267cd8d08a302688
Instruction ID: e32ca05ba96c9175d4cce646fd607f1986eb62935b15cfcc67354a17a0a27be4
Opcode Fuzzy Hash: f7f7aabd342a089234bc4a55029cea29a7f16f20146576aa267cd8d08a302688
Instruction Fuzzy Hash: EDB138B05083809BD315EB94D880BAFFBF8AF96305F14092EE5C497252E379D854CB6B

Function 00440580 Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

/.-,, xrefs: 004405E3, 004405EB
/.-,, xrefs: 00440693, 0044069B
4`[b, xrefs: 004406D0

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: /.-,$/.-,$4`[b
API String ID: 0-3655442430
Opcode ID: f06a106d91e2cc7800fd747d151223e1fb3d4f498dee8cabf8de532cc40f2a63
Instruction ID: c748d1ae17558c148dad3250e2def7c23df5c0511277cb16bede94740d35a379
Opcode Fuzzy Hash: f06a106d91e2cc7800fd747d151223e1fb3d4f498dee8cabf8de532cc40f2a63
Instruction Fuzzy Hash: 0C51A1716083009BE714DF25E851B2FB7E5EF95346F01082DF2C197252D73AE921CBAA

Function 0219FA8A Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0219FBE7
, xrefs: 0219FC90, 0219FC4E, 0219FBD0, 0219FB8E, 0219FB10, 0219FACE, 0219FADD, 0219FB9D, 0219FC5D
4`[b, xrefs: 0219FCA7

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$4`[b$
API String ID: 0-3990757397
Opcode ID: c3d0a67cae17320b704b3e59a3e35a35a863266f254242ea5ac433a6a2901832
Instruction ID: 6690dd8eb8237ca41ee9360ab34a09f38f5fd1f9bd362cc09c34e8e68dbeabb7
Opcode Fuzzy Hash: c3d0a67cae17320b704b3e59a3e35a35a863266f254242ea5ac433a6a2901832
Instruction Fuzzy Hash: 8B51E0759483899BEB35CB14C851BEEB7A2FF88305F284C2CE5A8C7291C771E491CB12

Function 00422063 Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

jABC, xrefs: 004221E3, 004221EB
TU, xrefs: 00422100
-"B, xrefs: 00422227

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: -"B$TU$jABC
API String ID: 0-1472133093
Opcode ID: cb7b2110b44033b6b4bcad9678ed1a0df7346a6f9ae8281a6a8eca307ae42e4e
Instruction ID: cc864d50663ff5025ed46511f35f12994df011000135a368941414507477666c
Opcode Fuzzy Hash: cb7b2110b44033b6b4bcad9678ed1a0df7346a6f9ae8281a6a8eca307ae42e4e
Instruction Fuzzy Hash: 644198B0608354ABC700EF14E991B2BBBF1EF91740F44880DE9C58B351E3B9DA14CB5A

Function 021934C4 Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

D, xrefs: 0219371D
F'W9, xrefs: 02193534
", xrefs: 0219369E

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "$D$F'W9
API String ID: 0-1820947052
Opcode ID: 797442a6e9bbd140379a47495c6fb2942faa59ad89277d1c5fcaaa84544cecf2
Instruction ID: 2f73761e7049d4838a4a02c186aa6e0e3e601aba65e6255c09f7fbbb74476712
Opcode Fuzzy Hash: 797442a6e9bbd140379a47495c6fb2942faa59ad89277d1c5fcaaa84544cecf2
Instruction Fuzzy Hash: E851ECB40083809FE7648F11C599BAFBBF0BF92B08F50890CE5D85A290D7B69548CF97

Function 0041325D Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

", xrefs: 00413437
F'W9, xrefs: 004132CD
D, xrefs: 004134B6

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "$D$F'W9
API String ID: 0-1820947052
Opcode ID: 797442a6e9bbd140379a47495c6fb2942faa59ad89277d1c5fcaaa84544cecf2
Instruction ID: f32d58d7e18b96630162a080e2e64c46b825db4d7c3546f9c88ca46c941da017
Opcode Fuzzy Hash: 797442a6e9bbd140379a47495c6fb2942faa59ad89277d1c5fcaaa84544cecf2
Instruction Fuzzy Hash: 0D51EBB40183809FE7608F11C5957AFBBF0BF92B08F50890DE4D85A290D7BA9548CF8A

Function 00425320 Relevance: 3.8, Strings: 3, Instructions: 99COMMON

Download Yara Rule

Strings

0TB, xrefs: 0042542A
KM, xrefs: 0042536D
LO, xrefs: 00425375

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0TB$LO$KM
API String ID: 0-2473149073
Opcode ID: d6257bed21c9ff048528a7f7718e21e47e460f5a5a5fddf4b638dc6589350f62
Instruction ID: 5af698da3240ce5cf2f13bd734f54302c2ab68d98fd4413b216b81fbb1d13a70
Opcode Fuzzy Hash: d6257bed21c9ff048528a7f7718e21e47e460f5a5a5fddf4b638dc6589350f62
Instruction Fuzzy Hash: CA21BFB45096209BC310EB18D841A2BB7F4EF92799F95590DE4C587391E378D900CBAB

Function 0218092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0218095F
GetProcAddress., xrefs: 021809DC, 021809DF, 021809E4
l, xrefs: 02180966

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 12504da68fe851acd66978f1aff55e238d901a755d33189b1f9763ae4d0cf1d3
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 91314AB6940609DFDB10DF99C880AAEBBF9FF48324F15414AD845A7310D7B1EA49CFA4

Function 021CAB87 Relevance: 3.8, Strings: 3, Instructions: 84COMMON

Download Yara Rule

Strings

@, xrefs: 021CABD7
;:54, xrefs: 021CAC1A, 021CAC22
\9X7, xrefs: 021CAB8A

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ;:54$@$\9X7
API String ID: 0-443102510
Opcode ID: c7bd6466920c7dd20041c4ef923462de8a655574ccfcc261b98309ede90bef34
Instruction ID: cf30abb4b8eaca9d360fdedec823182cbb075350b430b45cf954196a6829457f
Opcode Fuzzy Hash: c7bd6466920c7dd20041c4ef923462de8a655574ccfcc261b98309ede90bef34
Instruction Fuzzy Hash: 4F317AB45083489BD315DF15D880A2EFBF5FF9A314F24892CE5C497250D336D954CB66

Function 0044A920 Relevance: 3.8, Strings: 3, Instructions: 84COMMON

Download Yara Rule

Strings

@, xrefs: 0044A970
;:54, xrefs: 0044A9B3, 0044A9BB
\9X7, xrefs: 0044A923

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$@$\9X7
API String ID: 2994545307-443102510
Opcode ID: 6ac5ba2a3848dfd158dfdc445177851b6ea7e7ab2008ca005f77dba1e41b31d4
Instruction ID: 61df063a2357247074fa9386486a3e1957a8e93e6842f5f367d6fb2425e9dc59
Opcode Fuzzy Hash: 6ac5ba2a3848dfd158dfdc445177851b6ea7e7ab2008ca005f77dba1e41b31d4
Instruction Fuzzy Hash: DB3166B15083009BE310DF14D980A2BFBF9FF8A318F14892DE58497251E339D914CBAB

Function 00449580 Relevance: 3.2, Strings: 2, Instructions: 713COMMON

Download Yara Rule

Strings

T'&!, xrefs: 004495B3, 004495BB
0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$$T'&!
API String ID: 0-2300784948
Opcode ID: e2b057cc033b0edc3fe4232f2a3896a439a452f1bee7fab9dc5139b2cf461f2c
Instruction ID: f16a53d80bf270c7979ba3a4e2a3b4766dddc8c5520dd8645b6b3131129592cf
Opcode Fuzzy Hash: e2b057cc033b0edc3fe4232f2a3896a439a452f1bee7fab9dc5139b2cf461f2c
Instruction Fuzzy Hash: 3032893460C340CFD704DF28E990A1AB7E1FF8A31AF19886DE5858B362D335E954DB4A

Function 021AD957 Relevance: 2.9, Strings: 2, Instructions: 358COMMON

Download Yara Rule

Strings

o^_b, xrefs: 021ADCB7
tUWl, xrefs: 021ADCFA, 021ADD02

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: o^_b$tUWl
API String ID: 0-3192600724
Opcode ID: 1820666ef52f5d8565998a38715f99d8bf09580b4144af81ee57d82d0c4bae62
Instruction ID: 23dc647ffaf72b2b41869bf8783a90c3576b117774cd95300393531aa635b00c
Opcode Fuzzy Hash: 1820666ef52f5d8565998a38715f99d8bf09580b4144af81ee57d82d0c4bae62
Instruction Fuzzy Hash: 52A123756487419FD714DF24E8A0B2BB7F2EF86314F14892CE9958B790E335E844CB92

Function 0042D6F0 Relevance: 2.9, Strings: 2, Instructions: 358COMMON

Download Yara Rule

Strings

o^_b, xrefs: 0042DA50
tUWl, xrefs: 0042DA93, 0042DA9B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: o^_b$tUWl
API String ID: 2994545307-3192600724
Opcode ID: e204a0f69503bce91028cc47280996955e77d4d53eac8bb79977be26a6605346
Instruction ID: 03db81f68b829ac62a433c253204fb25f244f9a329e39115774d30c4e83b14b4
Opcode Fuzzy Hash: e204a0f69503bce91028cc47280996955e77d4d53eac8bb79977be26a6605346
Instruction Fuzzy Hash: 47A11271A083119FD710EF15E890B2BB7E1EF85314F64892EF59987351E338E840CB9A

Function 021B5707 Relevance: 2.9, Strings: 2, Instructions: 354COMMON

Download Yara Rule

Strings

U.Da, xrefs: 021B591C
[^"Y, xrefs: 021B5832

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: U.Da$[^"Y
API String ID: 0-3132506315
Opcode ID: de8edc1c985f99f0f126323a137a6617815bba2369a33d8cdffb55bdbd2de221
Instruction ID: 23ccb7e60555088901a87961f721caa4f2892db328607c12b1201f65027bd524
Opcode Fuzzy Hash: de8edc1c985f99f0f126323a137a6617815bba2369a33d8cdffb55bdbd2de221
Instruction Fuzzy Hash: 44E14A70504B809ED7328F35C490BE3BBF2AF16304F88899DD5EA8B692DB75E105DB61

Function 004354A6 Relevance: 2.9, Strings: 2, Instructions: 353COMMON

Download Yara Rule

Strings

[^"Y, xrefs: 004355CB
U.Da, xrefs: 004356B5

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: U.Da$[^"Y
API String ID: 0-3132506315
Opcode ID: 9b75ece036759378195a9bf4f53f2f48e10b4deee5bf70fda4db311eb22fbf02
Instruction ID: ac9ac3933775d2256496bc8287258fa8106305a43dadf0415ea25cee06398cb6
Opcode Fuzzy Hash: 9b75ece036759378195a9bf4f53f2f48e10b4deee5bf70fda4db311eb22fbf02
Instruction Fuzzy Hash: B8E16B70404F808ED7328F35C4907E3BBE1AF1A304F84995ED5EA8B692D739E505DB65

Function 0218E087 Relevance: 2.8, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

w`}b, xrefs: 0218E21B
opgt, xrefs: 0218E213

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: opgt$w`}b
API String ID: 0-2758945785
Opcode ID: 983253c4a531ad69842af91e52af8ae0866b0a5c05b08d8e6299cc498d189435
Instruction ID: 274a6a0e751e7416357490f3561dc2f727a0bf5631852c345cf3131cb8225323
Opcode Fuzzy Hash: 983253c4a531ad69842af91e52af8ae0866b0a5c05b08d8e6299cc498d189435
Instruction Fuzzy Hash: 2EC10EB05483809FD311EF69D880A2EBBE6AB96748F140D1CE5D48B251D77AD908CFA7

Function 0040DE20 Relevance: 2.8, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

opgt, xrefs: 0040DFAC
w`}b, xrefs: 0040DFB4

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: opgt$w`}b
API String ID: 0-2758945785
Opcode ID: 298a5cd36f6d69d185647e169501a24c557c346b6e4923422ba8e26d7c29c9b9
Instruction ID: 56c1f4487eaec788286ed6761f49cb54518eada9de256ec486ddf6324bf4e2db
Opcode Fuzzy Hash: 298a5cd36f6d69d185647e169501a24c557c346b6e4923422ba8e26d7c29c9b9
Instruction Fuzzy Hash: F0C134B05083809BD311EF56D480A2FBBE4EB96748F104D2DE1D49B392C779D918CBAB

Function 02194FF4 Relevance: 2.8, Strings: 2, Instructions: 313COMMON

Download Yara Rule

Strings

H9, xrefs: 02194FF4
*, xrefs: 02195172

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: *$H9
API String ID: 0-3056219007
Opcode ID: 29feafbe720e338ccf578db841f4e8885c02ab27d739ec3d04e1e9cc7d1159ee
Instruction ID: c5eec264bd21215405b3980168091665965c8b9c909d1026ba1e25191084b3dc
Opcode Fuzzy Hash: 29feafbe720e338ccf578db841f4e8885c02ab27d739ec3d04e1e9cc7d1159ee
Instruction Fuzzy Hash: FEB135B05483809FE716EB94C880B2FFBE9AF96704F58092DE5C497251E376D904CBA3

Function 00422673 Relevance: 2.7, Strings: 2, Instructions: 245COMMON

Download Yara Rule

Strings

")B, xrefs: 00422919
O1NO, xrefs: 00422816

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ")B$O1NO
API String ID: 0-2629967336
Opcode ID: e6cf0548333ae4fcf02a1c70276e66e1be1c026a10561864c89da198f9c4aa89
Instruction ID: 357e7906652d570bd0c3cf92acab623ec5306bc9f16e6ff154a734f56acea3a8
Opcode Fuzzy Hash: e6cf0548333ae4fcf02a1c70276e66e1be1c026a10561864c89da198f9c4aa89
Instruction Fuzzy Hash: 5C6177B46083909BC300AF19E891A2BBBF0EF92755F84491DF4C49B361E379D911CB5B

Function 0042268A Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

")B, xrefs: 00422919
O1NO, xrefs: 00422816

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ")B$O1NO
API String ID: 0-2629967336
Opcode ID: 142dfccd39e8424dc339e935302cb7a54e8df3c4f5416460b5bcfe13e7502297
Instruction ID: d5ac74756f149cbb4a96c6fcf04656c1624da6386313232f50d9fcc619c8e41f
Opcode Fuzzy Hash: 142dfccd39e8424dc339e935302cb7a54e8df3c4f5416460b5bcfe13e7502297
Instruction Fuzzy Hash: 896176B46083A0ABC300AF19E891A2BBBF0EF92755F44495DF4C49B361E379D911CB5B

Function 021B9AE7 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 021B9C99
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 021B9BB2

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081$00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2222143745
Opcode ID: 022af45df9f18e9a21763841cf3bcf4586f922794776cb1d13f848251b5c1297
Instruction ID: a97220a559c524cd01d36cb6b1bb64cfaf4f16ef9c734d78f8a18ff95aa50af0
Opcode Fuzzy Hash: 022af45df9f18e9a21763841cf3bcf4586f922794776cb1d13f848251b5c1297
Instruction Fuzzy Hash: 19611937B9D58187C72E8A3C8D512F97AA75F93134B2E8769E6B6CB3E0D7258402C740

Function 00439880 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00439A32
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 0043994B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081$00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2222143745
Opcode ID: f068a729cb661a9bd15075f354239e4a50013d93da8a1ed15d154f4616625041
Instruction ID: 20f377fefa2c7eb00aaa400402c53f4e2b27e897c9f9d000dd49f76e59748751
Opcode Fuzzy Hash: f068a729cb661a9bd15075f354239e4a50013d93da8a1ed15d154f4616625041
Instruction Fuzzy Hash: E761F933B1D58187D718993C4C522B66A831FAB374F3D936BE4B2C73D1D5A98C029346

Function 021B80D7 Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 021B81AA
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 021B81C6

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-2492670020
Opcode ID: c14f06df38f0fb473a4aa8476d427ad33fb3adc3615abd7e4720bd95abce625e
Instruction ID: 81dad387bc10c82e1e36d7d1ab5348b4d0293daa94a6c97138b2d2b72a1d71c8
Opcode Fuzzy Hash: c14f06df38f0fb473a4aa8476d427ad33fb3adc3615abd7e4720bd95abce625e
Instruction Fuzzy Hash: D171F92668EA918FD31E9A3C9C503FA6AA65F82A34F1F475DE4F2473E1C7258801C751

Function 00437E70 Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00437F43
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00437F5F

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-2492670020
Opcode ID: c14f06df38f0fb473a4aa8476d427ad33fb3adc3615abd7e4720bd95abce625e
Instruction ID: 3f95d336363f26b12fda4084b5fe5cd547504f729864173a97163ceafce5da15
Opcode Fuzzy Hash: c14f06df38f0fb473a4aa8476d427ad33fb3adc3615abd7e4720bd95abce625e
Instruction Fuzzy Hash: 3971376660D6904BD3289A3C8C5037ABA925B9B334F2D976FF4F2473E1C5298806935A

Function 021B3F67 Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

4_2], xrefs: 021B41F1
C+N), xrefs: 021B41BF

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4_2]$C+N)
API String ID: 0-865003193
Opcode ID: 9c35d6857e1d9e0111a4e880abff91e774f5a19511ddde2181cbe8f64134f720
Instruction ID: b8a8cac7a5200dcfb07ed439cb3ac006197acd30a4ab6921e2682e7003c80a46
Opcode Fuzzy Hash: 9c35d6857e1d9e0111a4e880abff91e774f5a19511ddde2181cbe8f64134f720
Instruction Fuzzy Hash: 7E815670405B809AD7228B34C8A4BE7BBF1AF17305F98585CD0EE9B282DB35B105DF65

Function 021B3EEC Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

4_2], xrefs: 021B41F1
C+N), xrefs: 021B41BF

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4_2]$C+N)
API String ID: 0-865003193
Opcode ID: 8a69b2182f7b5707f8147063e4e5f0587a72bc8d2ccc4080b973d4d1dc2bc8a3
Instruction ID: e332f77dc9c82a2028de39b0972adb2fc7f3e2b38cdf7bce32257e94150d001a
Opcode Fuzzy Hash: 8a69b2182f7b5707f8147063e4e5f0587a72bc8d2ccc4080b973d4d1dc2bc8a3
Instruction Fuzzy Hash: A7816770405B809AD7228B34C8A4BE7BBF1AF17305F94585CD0EE9B282DB39B205DF65

Function 021A22C8 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

TU, xrefs: 021A2367
jABC, xrefs: 021A244A, 021A2452

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: TU$jABC
API String ID: 0-716033895
Opcode ID: 1774c31c6a9a7bd3116b21f6109b792598e1b2c9dcd0ac86b2b4c37ed7a6ad98
Instruction ID: 70ff6e6a49787b2788475203dc2ecbe7df1741da6c254e0e2bd38b47c5c186f7
Opcode Fuzzy Hash: 1774c31c6a9a7bd3116b21f6109b792598e1b2c9dcd0ac86b2b4c37ed7a6ad98
Instruction Fuzzy Hash: 2A4178B45483849BD710EF18C8A1B2BBBF1EF96744F18881CE8C58B391E379E544CB56

Function 021A5587 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LO, xrefs: 021A55DC
KM, xrefs: 021A55D4

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: LO$KM
API String ID: 0-467390890
Opcode ID: d6257bed21c9ff048528a7f7718e21e47e460f5a5a5fddf4b638dc6589350f62
Instruction ID: 6b141eb1679e8a453d6769b2ca8106fb9e52f4e9840be7c176da8939ce3d5b66
Opcode Fuzzy Hash: d6257bed21c9ff048528a7f7718e21e47e460f5a5a5fddf4b638dc6589350f62
Instruction Fuzzy Hash: 6E2192B584D300EBC310AF18C855A2FB7F6EF96754F95890CE4D98B291E335C900CBA6

Function 021AB237 Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

4`[b, xrefs: 021AB2C7
, xrefs: 021AB2B4, 021AB26E, 021AB27D

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$
API String ID: 0-1013063763
Opcode ID: 8bac223c2a0c9aa98ce54ffd59ec2ef83448f0d04dddc3cde56d4df2bba30a27
Instruction ID: 184bec2de74e6f9e9bf3f2521ef181df0c9049c1f51fa0c335e50ca28caea236
Opcode Fuzzy Hash: 8bac223c2a0c9aa98ce54ffd59ec2ef83448f0d04dddc3cde56d4df2bba30a27
Instruction Fuzzy Hash: 7C112B7554C380CBC7648B50C8A0A6EB7F2FB9A309F948828E5C897212DF31E884CB56

Function 02181267 Relevance: 2.5, Strings: 1, Instructions: 1229COMMON

Download Yara Rule

Strings

@, xrefs: 0218329C

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4a84aaa2691d960cc745d9102843cd1919e3ebab9cfc4b143107c3768c6ebbc7
Instruction ID: 6ee8709f3e27a1db37fa656d9e05b4966cdeea10e4140160d4d7e12ad1359ac2
Opcode Fuzzy Hash: 4a84aaa2691d960cc745d9102843cd1919e3ebab9cfc4b143107c3768c6ebbc7
Instruction Fuzzy Hash: 938226716483819FC719DE28C8C472ABBE2AFC5618F1C866DE8E98B391D335D945CF42

Function 004492C0 Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 4b5fb86ab7783634e8426eb6a5beccb753f17b6567c103218c73c1187726e3c9
Instruction ID: 6e0865e907425cf75320b74792bf90df407925e1fa0e5ab0e50ac8bca2d6273f
Opcode Fuzzy Hash: 4b5fb86ab7783634e8426eb6a5beccb753f17b6567c103218c73c1187726e3c9
Instruction Fuzzy Hash: C0529B75608340CFD704DF28E89061BB7E1FB8A31AF19886EE5C58B352D335E950DB5A

Function 00449410 Relevance: 2.1, Strings: 1, Instructions: 801COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 49a94e6cb11d6aa5231ce31b2a3b0ae13bf27557489387570f618a1cede55622
Instruction ID: 9c79c92c8d55ea1f9b77809b46a9c6bc11abe925a532a833b99ee4f9aaeb858c
Opcode Fuzzy Hash: 49a94e6cb11d6aa5231ce31b2a3b0ae13bf27557489387570f618a1cede55622
Instruction Fuzzy Hash: 3F427A3560C340CFD704DF28E990A1AB7E1EB8A31AF19886DE5C58B362D335E950DB5A

Function 00449690 Relevance: 1.9, Strings: 1, Instructions: 670COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 6a9e394f2ce95cb9a7996a26e795fe10874b16fb4776584fafaa184a522fdb30
Instruction ID: a78a7c277879c736897cf7ac7ecc7938aeebc78e1496ca281fcf500cbbfe4cdb
Opcode Fuzzy Hash: 6a9e394f2ce95cb9a7996a26e795fe10874b16fb4776584fafaa184a522fdb30
Instruction Fuzzy Hash: 9422893460C340CFD704EF28E890A1BB7E1EB8A31AF09886DE5C58B352D335E950DB5A

Function 00449780 Relevance: 1.9, Strings: 1, Instructions: 670COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 7135110f5d930902eccf3a44a32dc23a60941ee016691cfe26a7abae5c701e14
Instruction ID: cca9a259955e133b43c0d4e571be30f1d12aba5fe8632a6eced6d828887752d6
Opcode Fuzzy Hash: 7135110f5d930902eccf3a44a32dc23a60941ee016691cfe26a7abae5c701e14
Instruction Fuzzy Hash: 8C228774608340DFD704EF28D99062BBBE1EF8A316F09886EE5C58B352D335E950DB5A

Function 00428D1C Relevance: 1.9, Strings: 1, Instructions: 628COMMON

Download Yara Rule

Strings

, xrefs: 0042874F, 00428723, 0042872B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 573c0e96f2afe8ad1c15bdc341012e85ab549882f6636d185d739a5475ba9a17
Instruction ID: 51e696bd5ec15287983243273ec61dae75fd2fac5fc03b4f59f6828f5017c962
Opcode Fuzzy Hash: 573c0e96f2afe8ad1c15bdc341012e85ab549882f6636d185d739a5475ba9a17
Instruction Fuzzy Hash: 0922BB75619311CFD714CF28E8A072EB3E2EB89305F49897DE88697262DB34ED11CB45

Function 00428D00 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

, xrefs: 0042874F, 00428723, 0042872B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: d1d8b00e44025d60afc62db50dc92e79d5033c821c3f3d9179cbf4b21f6c9f50
Instruction ID: dc7947b7e6109e91b50e16232e030e15c55b0782f0dcd0c8b1d58dcd2f3ec650
Opcode Fuzzy Hash: d1d8b00e44025d60afc62db50dc92e79d5033c821c3f3d9179cbf4b21f6c9f50
Instruction Fuzzy Hash: D412AB75619311CFD704DF28E8A072EB3E2EB89306F49897DE88597262DB38E911CB45

Function 00405320 Relevance: 1.8, Strings: 1, Instructions: 568COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00405682

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 919116935798560f246e6156ec8e8e9cfd8da4807187642b2343c387b473d4d4
Instruction ID: 20feea22dbaa0119b6c9156ed34180d71f45265348ec538088c5f8d36220c5c6
Opcode Fuzzy Hash: 919116935798560f246e6156ec8e8e9cfd8da4807187642b2343c387b473d4d4
Instruction Fuzzy Hash: 4F12E6B2A08B418BE7148E58D480327BB92EFA1314F19857FD8896B3D1E779DC45CF4A

Function 021A7907 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0044DB80,00000000,00000001,0044DB70), ref: 021A7930

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 818f815e677c97aae80d52fb4cae01df33caee730a9dca8d15e1327c6e4e7634
Instruction ID: 778787dcbb6747b5866e6884fdfeccad15274d0c352215fe3fb23006c67239ae
Opcode Fuzzy Hash: 818f815e677c97aae80d52fb4cae01df33caee730a9dca8d15e1327c6e4e7634
Instruction Fuzzy Hash: A851B3B5680304ABDB249F64CCA1F7AB3B4FF85768F084558E9868B2D0F375DA02C761

Function 004276A0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044DB80,00000000,00000001,0044DB70), ref: 004276C9

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 735f4f0e8ea5cc4430647eb07c1c43c3b0f65900f5abb12b3a6264a1ad4a35d4
Instruction ID: 661dc55ae77cfbde4c0051d48ed309cc2d55411694cdcf6b49fd2dde045b32f1
Opcode Fuzzy Hash: 735f4f0e8ea5cc4430647eb07c1c43c3b0f65900f5abb12b3a6264a1ad4a35d4
Instruction Fuzzy Hash: 6851FFB07083209BDB20AB24EC96B7733B4EF81358F544959F9858B390E378E801C76A

Function 00449A40 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: af47a18e417ca44032f7ecccd916510462ab16a59ee48c76b0e9b599ab7f98b5
Instruction ID: 881c954678f8796fe656ae0d28e990270fa6eae4fcec6e348efbb8980500b22d
Opcode Fuzzy Hash: af47a18e417ca44032f7ecccd916510462ab16a59ee48c76b0e9b599ab7f98b5
Instruction Fuzzy Hash: A4E1793460C340DFD704EF28E99061BBBF1EB8A316F19886DE5C68B252D339E950DB56

Function 021A7B67 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

4`[b, xrefs: 021A7FA7

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: c02f0348de239f46225b401b21c18ad46d141dd382e3ae504adb8f9a7f4a5391
Instruction ID: 5c334b96e0549c1cff29ddea7000f64e8e03d587913be81c833289b5fac1c6be
Opcode Fuzzy Hash: c02f0348de239f46225b401b21c18ad46d141dd382e3ae504adb8f9a7f4a5391
Instruction Fuzzy Hash: 59C1A1B55483409FD711AF14C8A1A2FF7F5EF96354F19491CE8D48B290E336DA06CBA2

Function 00427900 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00427D40

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 175d8a288f5888c5a2cb581ced43757a7e2644ab78572fc4fafd738db361e8ea
Instruction ID: 6bd0c6b0c3419b93c5c7550c24bf3f6632f543d7fe83940d4e1721b018c3d69e
Opcode Fuzzy Hash: 175d8a288f5888c5a2cb581ced43757a7e2644ab78572fc4fafd738db361e8ea
Instruction Fuzzy Hash: B6C1D1B160C3109BD711AB25E841A2BB7F4EF96364F88481EF8C597351E339E940CB6A

Function 021B2137 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

", xrefs: 021B243F

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: d7cbc627167302663f90844ef4a7eea153e27738aa1c859daa734b71f5b9f62b
Instruction ID: 560fed6cce1e8e0a42f58035ac610f0b315b4df2b3cc3f9d91350652166cb33e
Opcode Fuzzy Hash: d7cbc627167302663f90844ef4a7eea153e27738aa1c859daa734b71f5b9f62b
Instruction Fuzzy Hash: 77D10871A443015FD716CE24C490BEBB7F6AF85314F19862DEC9987380E778D948CB91

Function 00431ED0 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

", xrefs: 004321D8

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: ff99a7c9b470f766bfbe338ba90c26ed05b46c28c8c0b3cdbf304a5dfe3f06da
Instruction ID: 42062e19262baeacce261b2f88b05e1f475a0e7cfe5b4b7249c66d792c028547
Opcode Fuzzy Hash: ff99a7c9b470f766bfbe338ba90c26ed05b46c28c8c0b3cdbf304a5dfe3f06da
Instruction Fuzzy Hash: 35D147B2A043009FD714CE25C98076BB7E5AF89310F189A2FE99587391E7BCDD49C786

Function 00448C40 Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

P, xrefs: 00448DE6

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 42475a6d9d4a1a8bfd98537bfd63c011a62fd918712275191ea96adf7ca5917d
Instruction ID: 34688efd5666104c9592188b828e154dc221ee294a09268e027c054d00bcd7fc
Opcode Fuzzy Hash: 42475a6d9d4a1a8bfd98537bfd63c011a62fd918712275191ea96adf7ca5917d
Instruction Fuzzy Hash: 9BD1F4329082644FE719CA18C45072FB6E2EBC5318F15863DE8B9AB390DB79DC06D7C6

Function 0042887B Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

, xrefs: 0042874F, 00428723, 0042872B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 63899ac525b73123fe937764e65aff5db5442e900d19f84f58249e8b59d622ee
Instruction ID: 0bc9d32587badb6e1089986d6acf427c4e4f3aa01848c782b773e6d10f2386de
Opcode Fuzzy Hash: 63899ac525b73123fe937764e65aff5db5442e900d19f84f58249e8b59d622ee
Instruction Fuzzy Hash: 58D1BEB5619301CFD704DF28E8A076AB3E1FF89306F09897DE48697262DB34E950CB45

Function 0042F700 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

0{y, xrefs: 0042F924, 0042F92D

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0{y
API String ID: 0-51807998
Opcode ID: 20fa1c9257911a36ca36470c2e7e1c22bb6fb13c29c85412142eef28ecb33bfe
Instruction ID: c4731e0e9eccddd579ce74b767209ac34a9a962a8e632d51c6645eda6d2b33b1
Opcode Fuzzy Hash: 20fa1c9257911a36ca36470c2e7e1c22bb6fb13c29c85412142eef28ecb33bfe
Instruction Fuzzy Hash: ECE124745083918AD724DF18E950B1FBBF1BB86708F90092DE9C89B391D735D909CBAB

Function 021A94CE Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 021A962D

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: 211c641e2bfe9d3f490daea082da1c49a1a69d149fe54152d479fb630b8887b0
Instruction ID: 140efeec7c59d280af8843c2f3ffea1a786544307606e2556a359cc930f53c0b
Opcode Fuzzy Hash: 211c641e2bfe9d3f490daea082da1c49a1a69d149fe54152d479fb630b8887b0
Instruction Fuzzy Hash: 4B3151B81193849FD710EF54D9A062BBBB1EF82B54F00491DF5CA9B210E339C984DB96

Function 021B44EA Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

=G>D, xrefs: 021B476A

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: =G>D
API String ID: 0-1722088145
Opcode ID: c0b44d7c01c9fa389a4e901232ba9396630c6e9af64780a300d14e9e3cabf176
Instruction ID: a3aed35ca194ed6b716ba695d99c5b350ebfa423ca01bcac38d003b12d7f272a
Opcode Fuzzy Hash: c0b44d7c01c9fa389a4e901232ba9396630c6e9af64780a300d14e9e3cabf176
Instruction Fuzzy Hash: F0B16970504B809ED726CF398460BE2FBF1AF0B305F5888ADD5EA9B652CB36E505CB54

Function 00429DC9 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

4, xrefs: 00429F53

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-350161683
Opcode ID: 92a0072889c20233ca62e92d02a93d087f6e24251b83944abd5c3ca87f7dbe86
Instruction ID: 0174e6cff714d9d3c0264d8286eeb52dca6f5f2297d9d4a0b4876d546a24463a
Opcode Fuzzy Hash: 92a0072889c20233ca62e92d02a93d087f6e24251b83944abd5c3ca87f7dbe86
Instruction Fuzzy Hash: 4DA1C9716083528BD310DF24D480A6FB7F2FF94740F988D2EE4C587261E7399959CB9A

Function 021C85F7 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

4`[b, xrefs: 021C8817

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: a2a7c3d5b53d3495e0a029f1c742286a72315fca4859db4f6bf38989ffaea507
Instruction ID: 44617b1ae599c0715aec2c33119ebf80d5ea2389087d913c2e0162279ee067c3
Opcode Fuzzy Hash: a2a7c3d5b53d3495e0a029f1c742286a72315fca4859db4f6bf38989ffaea507
Instruction Fuzzy Hash: 77A1CF79648380ABD725DB14C894BAFBBE5EFA5344F65482CE59487390E731E840CB92

Function 00448390 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004485B0

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: eedfc26b24bc0fe6557ceb04a84a399e725fa3b42207ef816896f37233c85be1
Instruction ID: 131acc8278a68d64eeb6898d39fc8dfeddf15283686ebe1cb7cefac48c2ffecb
Opcode Fuzzy Hash: eedfc26b24bc0fe6557ceb04a84a399e725fa3b42207ef816896f37233c85be1
Instruction Fuzzy Hash: 3CA1BF71608341ABF720DF14C850BAFBBE5EB85355F54482EF98497391EB34E940CB9A

Function 021CAF87 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

;:54, xrefs: 021CAFBA, 021CAFC2

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: d757b867f37f477c4b0fcb36ab1cfb286a9f5f27b7b0912a23d484d82cad9268
Instruction ID: d8f1aef57a4a78f37c921d5fcca33d93c7d7bd37715df16a624d7dacf576acb3
Opcode Fuzzy Hash: d757b867f37f477c4b0fcb36ab1cfb286a9f5f27b7b0912a23d484d82cad9268
Instruction Fuzzy Hash: E081E0782483419BC724DF28D891A2EB3F5FFA9758F25892CE991CB351E731E910CB52

Function 0044AD20 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

;:54, xrefs: 0044AD53, 0044AD5B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: a552d39f2bd7ef4868304ccf967d23ef7fffb579692fdef7b13429a2f9516bf0
Instruction ID: 21f2187efaab772fbbc5d5b1e6dd703fa95306b9cd8bccf6eef653216d17fc48
Opcode Fuzzy Hash: a552d39f2bd7ef4868304ccf967d23ef7fffb579692fdef7b13429a2f9516bf0
Instruction Fuzzy Hash: DE81BDB42487019BE724DF28C890A2BB3E5FF89745F14892DE4858B351E735EC24CB9B

Function 00429EE0 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

4, xrefs: 00429F53

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-350161683
Opcode ID: 198d44f7afc769c1b3122b401b871429bf2e966949c3172fdbe8aea22ff48e24
Instruction ID: e4fc10516fa2316bf4a5599780e9b805dc78d69fb17dffabfdebbfb6507c3884
Opcode Fuzzy Hash: 198d44f7afc769c1b3122b401b871429bf2e966949c3172fdbe8aea22ff48e24
Instruction Fuzzy Hash: 42A1F071608312CBC320DF28D48096BB3F2FF88741F968D2DE4C687260EB39A955DB56

Function 0218ABA7 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0218ACDD

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 62817cb2a17c8e9643bd4b2493ff8d6ec1e3fb4a32a297e266eb5e7dd60e8b6d
Instruction ID: ab16179a133f4e9d50bc941f9b631f7be62b243f1e054a069791fde4c57c636f
Opcode Fuzzy Hash: 62817cb2a17c8e9643bd4b2493ff8d6ec1e3fb4a32a297e266eb5e7dd60e8b6d
Instruction Fuzzy Hash: 72B138711093859FC325DF18C88061BFBE0AFA9604F448E2EF5D997742D771EA18CBA6

Function 0040A940 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0040AA76

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 62817cb2a17c8e9643bd4b2493ff8d6ec1e3fb4a32a297e266eb5e7dd60e8b6d
Instruction ID: 12db4f90ca3269c29524b76ef3c1c0f8dbc8020f24ad9f5730d38d234bfc5a28
Opcode Fuzzy Hash: 62817cb2a17c8e9643bd4b2493ff8d6ec1e3fb4a32a297e266eb5e7dd60e8b6d
Instruction Fuzzy Hash: 37B139712083819FD321CF18C88065BFBE0AFA9704F444E2EE5D997782D635E918CBA7

Function 021A2900 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

O1NO, xrefs: 021A2A7D

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: O1NO
API String ID: 0-1325606490
Opcode ID: b2729491a23b058415b63bdeede9e89948faac2af451d4476a2dbc819277f847
Instruction ID: aaf79cac307ea5c5c1283863e37859ed9700c162347220a6b60e93a6affc0d47
Opcode Fuzzy Hash: b2729491a23b058415b63bdeede9e89948faac2af451d4476a2dbc819277f847
Instruction Fuzzy Hash: 425156B45483908BD7219F18C8A1B2ABBF1FF92754F04590CE8D58B760E33AD901CB67

Function 00421DC0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

a B, xrefs: 0042205B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: a B
API String ID: 0-3137502235
Opcode ID: 3a791a4865b2b10de04ca526748692eef6ba2820f3cd87d1b616ded78406b9dc
Instruction ID: 6791246eca1351c5328d7902d9057258b1aec060df4b542f970ff6e8af0f9a69
Opcode Fuzzy Hash: 3a791a4865b2b10de04ca526748692eef6ba2820f3cd87d1b616ded78406b9dc
Instruction Fuzzy Hash: DF5168B06083508BC714DF14D581A2BB7F0FFA6358F448A0EE8D59B3A1E339D944CB9A

Function 021C57E7 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

, xrefs: 021C583D, 021C59C6, 021C599A, 021C581A, 021C5822, 021C59A2

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 97c0581e13873ac6d00475eddfa4b9016fd0f49bbca9c614caf131ebfde5a57d
Instruction ID: 295333400ccbc9c26061669ec59713bab512da6fc5ce62166335eff3c062213b
Opcode Fuzzy Hash: 97c0581e13873ac6d00475eddfa4b9016fd0f49bbca9c614caf131ebfde5a57d
Instruction Fuzzy Hash: 5961F47864C341ABDB18DF15C880B2AB7E7AFE5314FA4896CE4D5A7251D731F810CB52

Function 00445580 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

, xrefs: 004455D6, 0044575F, 00445733, 004455B3, 004455BB, 0044573B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 7a42694725f0e8f604c61eb579e0ffb5b06b52798249ef1ea9602468f7b0b423
Instruction ID: 99bd972ddb00d8c0accb3e56e9343d025c11d7df58ce895e5b891d06f5205592
Opcode Fuzzy Hash: 7a42694725f0e8f604c61eb579e0ffb5b06b52798249ef1ea9602468f7b0b423
Instruction Fuzzy Hash: 0D61E2356087019BFB10DF24C880B3BBBE6EB85314F55892EE48987362D639EC11CB1A

Function 021C83F7 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

4`[b, xrefs: 021C85B7

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: db4dfddcede49f78106a627464b414e1e88793db11c4c7aebe51ef1b930f4cbc
Instruction ID: 48ed65a8458b998d0c4b1ea5106a49ca2bdc140dc79d2a812b27274aa555cb22
Opcode Fuzzy Hash: db4dfddcede49f78106a627464b414e1e88793db11c4c7aebe51ef1b930f4cbc
Instruction Fuzzy Hash: 43510475648350ABC7169A18CC90B3EB7E6EFA5719F39862CE4E9973D1C331E810CB52

Function 00448190 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00448350

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 96d8d896c6325d1ecc715d8eec931c372c915e865b1d35b4a9b399d7417457fe
Instruction ID: f2be005d942e4e2615dd207fd9a3b45408ac578641062338537af6c7fa4a3d29
Opcode Fuzzy Hash: 96d8d896c6325d1ecc715d8eec931c372c915e865b1d35b4a9b399d7417457fe
Instruction Fuzzy Hash: 7A5125316087049BE7149F19C890B2FB7E5FF85715F188A2DE8D957391CA3AEC01C79A

Function 0219F7B9 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

nInO, xrefs: 0219F8BE, 0219F8CD

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: nInO
API String ID: 0-2565600075
Opcode ID: 0b8e71472248b542dd57f359284ad3a6a1583c9845352cc529e91a9a906f92f2
Instruction ID: 6854a6db197741f435c2b81e0a222b63541f0008813cb0306f59eb96637f2ab6
Opcode Fuzzy Hash: 0b8e71472248b542dd57f359284ad3a6a1583c9845352cc529e91a9a906f92f2
Instruction Fuzzy Hash: 15516AB4549381AFE7708F10C865BEBBBF1BF86708F64081CE4C85B290DB7A9455CB96

Function 021C46E7 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 021C483D, 021C481A, 021C47BD, 021C479A, 021C47A2, 021C4822

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 522cd8682013f376c1e50e5e58f0c34041c8bc71e5a303a54ee83ee427a6fe39
Instruction ID: 3c657419d5911f3b79b945bf3a5eb848537625d82f4f952d1e4bb36e1eb1f95b
Opcode Fuzzy Hash: 522cd8682013f376c1e50e5e58f0c34041c8bc71e5a303a54ee83ee427a6fe39
Instruction Fuzzy Hash: 0F41913C54C3809BDB28DF54D860A2AB7F6EFA6745F24883CE4C597211D336E810CB22

Function 00444480 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 004445D6, 004445B3, 00444556, 00444533, 0044453B, 004445BB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: c3984b0afdbe81277c892565e6284a68daa2c00bdff0285ab262ff4f6266c121
Instruction ID: ae879fc850b573c7fcc27bce8fc0229c99342f9cf9ea990149d60e095a57cdc4
Opcode Fuzzy Hash: c3984b0afdbe81277c892565e6284a68daa2c00bdff0285ab262ff4f6266c121
Instruction Fuzzy Hash: 9241B035608240ABEB24DF14D980B2BBBE6EFC6705F19482EE5C587311D739EC51CB2A

Function 0218F029 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

39>?, xrefs: 0218F16A

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 39>?
API String ID: 0-532897804
Opcode ID: fd9dd006e0adc0f1d7c8f032b0cc792d1593ec69da596a106d15787dcd07f03c
Instruction ID: 3a4489bf7741c236541f3fe24effb2407e2139909388b3bb1cbf9b41cc3e19a0
Opcode Fuzzy Hash: fd9dd006e0adc0f1d7c8f032b0cc792d1593ec69da596a106d15787dcd07f03c
Instruction Fuzzy Hash: B95158B1D02248AFDB04DF94E990AEDBBB2EF5A312F281429E400B7751D7359A50CF68

Function 021CA877 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

;:54, xrefs: 021CA8AB, 021CA8B4

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: d4269a9931393d21e097e7e2d2e2d2025438c050bdf92c2a886c34cba58bc327
Instruction ID: 8ce60c8ab3b12895a4d3a004e8c90087e5be4bff10b337a4926eefbda59faf5a
Opcode Fuzzy Hash: d4269a9931393d21e097e7e2d2e2d2025438c050bdf92c2a886c34cba58bc327
Instruction Fuzzy Hash: 5F41DE78688348AFD7199F14C892B2FB7E6EF95B15F35882CE5C987291C331E810CB52

Function 021C4BC7 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 021C4CDD, 021C4CBA, 021C4CC2

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: b95decbbccf413ba2b0aaf86f5035c570a28ab5f55363f7dfd9981f7a2c6353d
Instruction ID: 867e62cd5cd0694be98fff3a4895d42eedcf3564abf70a4375c23e3746e720e3
Opcode Fuzzy Hash: b95decbbccf413ba2b0aaf86f5035c570a28ab5f55363f7dfd9981f7a2c6353d
Instruction Fuzzy Hash: 6141F63D548309EBCB24EF14DC60A7EBBA6EFA5704F24481CE89587261D732D820DB66

Function 00444960 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 00444A76, 00444A53, 00444A5B

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 14c545dee9ca3b9773ca046853ccc447e70483d1340eecc98b931c74cbf1d43a
Instruction ID: 274f3e1b3b6f42031ba6c240eb81a6913b2c0584eb231ee528a0b8831dbf2603
Opcode Fuzzy Hash: 14c545dee9ca3b9773ca046853ccc447e70483d1340eecc98b931c74cbf1d43a
Instruction Fuzzy Hash: 5341D275604204ABEB20DF64EC41B6BBBA5EFC5705F04482EE88593351D339DC10EB6A

Function 021CAA07 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

;:54, xrefs: 021CAA3B, 021CAA44

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: 158c608d25fcbd454c26e9a025f61dc02d049de3ed13e05fae4e655b95f79b27
Instruction ID: 02e2a3d953342b8b362bec11c0da66e5fcd393ddc8dccc36255177a5c25fd671
Opcode Fuzzy Hash: 158c608d25fcbd454c26e9a025f61dc02d049de3ed13e05fae4e655b95f79b27
Instruction Fuzzy Hash: 19419B78648348AFD7259F14C990F2EB7A6EF95B18F34882CE58987291C331E810CF66

Function 0044A7A0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

;:54, xrefs: 0044A7D4, 0044A7DD

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: 031c22b133dd9dba0ebc7900e4cb744e3d4209b3f1ea91417fb3c36fded8ae43
Instruction ID: 78e3c2dc7897cdc557890b703a0409e606c332cfa71594da55bc866c29a599f7
Opcode Fuzzy Hash: 031c22b133dd9dba0ebc7900e4cb744e3d4209b3f1ea91417fb3c36fded8ae43
Instruction Fuzzy Hash: FE419D74648300ABE714AF14D890B2FB7F6EB85715F24882EF58997291C339E821CB5B

Function 021AE685 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

4`[b, xrefs: 021AE6F7

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: d6d4f54fbe405900c029680ebebca9d12b6abf05af800f5610dd8d7e4c84cf42
Instruction ID: cd76b2c2368f12081273d174b7f5f3ae6cbee1b29bc0a7c4968d01569dab60b9
Opcode Fuzzy Hash: d6d4f54fbe405900c029680ebebca9d12b6abf05af800f5610dd8d7e4c84cf42
Instruction Fuzzy Hash: E111B675948302CBD701DF64DCA092AB7F2EF96395F151C28E480D7262D331E854CBD5

Function 00420729 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

, xrefs: 004207BD, 00420777, 00420786

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 32387dd3542a485ec372521255e0c86dbce74193274f2aceababfaa4507e62a6
Instruction ID: 0e37ae3c7cdb39b94d4783fab9bf39235a70f96b3866e444776f1420009e3a49
Opcode Fuzzy Hash: 32387dd3542a485ec372521255e0c86dbce74193274f2aceababfaa4507e62a6
Instruction Fuzzy Hash: 7E218E356093419FD770CF10E890AABB3A3EBC5302F954A6DE08897252DB35F891CF86

Function 021AA457 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

4`[b, xrefs: 021AA4B7

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: bfe61d55180d9910a2a65549bab488483307afbcef1c35780428ec5b512c4a19
Instruction ID: 98aee247ebf4f28a21402ea32123d0e1b97e3919dc99191f9ef077b5957c13df
Opcode Fuzzy Hash: bfe61d55180d9910a2a65549bab488483307afbcef1c35780428ec5b512c4a19
Instruction Fuzzy Hash: 8A1146796583828FD704DF64D8A492AB7B2FFCA306F584C2CF89193251D332E946CB16

Function 021B0DDF Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

z, xrefs: 021B0E0E

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: z
API String ID: 0-1657960367
Opcode ID: 2c4c3b6af09e80377f6c925375e1eb043b8da099a319a4a56168f28cb06a555d
Instruction ID: fa84d90acb67f315da5a679106a07ca4c516d7d406b408a3e40701c085f8d83d
Opcode Fuzzy Hash: 2c4c3b6af09e80377f6c925375e1eb043b8da099a319a4a56168f28cb06a555d
Instruction Fuzzy Hash: 5821607945C390CBC312CF15C09066BBBF1AF8A648F294A5DD4D5AB351D336D904CB96

Function 0042A1F0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042A250

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 71637f2b961aae30c1abcf79f9556ccac77976f21aa7df97791045416a8145e8
Instruction ID: 900762551a009ee9e5bc5032e1dc8f56701680aef49dcc048cf94ae26ce606f7
Opcode Fuzzy Hash: 71637f2b961aae30c1abcf79f9556ccac77976f21aa7df97791045416a8145e8
Instruction Fuzzy Hash: 7F116731618352CFD704DF60E89092BB7B2FB86302F844C6CE89193252C336E956CB2A

Function 0062EAC3 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Ub, xrefs: 0062EAC9

Memory Dump Source

Source File: 00000000.00000002.2424482575.000000000062E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0062E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_62e000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Ub
API String ID: 0-2216202084
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 78bf33954b321afe289b2b66ed6c72ea868337d08921b9246b19a695bdb15022
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 75118E72340510AFD744DF55ECD1EA673EAFB89321B298069ED05CB312D676EC02CB60

Function 021B05FF Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

4`[b, xrefs: 021B0667

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 40f183d035f6c99d9fcf50fd9b7db48c08288283d3b9bb193e87f18c1e1ae91c
Instruction ID: 1f40fc6d24fce9a10fd981b11bece6ff02f738713a98087dc3a49f89275cfc60
Opcode Fuzzy Hash: 40f183d035f6c99d9fcf50fd9b7db48c08288283d3b9bb193e87f18c1e1ae91c
Instruction Fuzzy Hash: EB118FB1548342DBD606DF24E99096BB7F2EF9A302F149829E084A3211D332EC44CBA6

Function 00430399 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00430400

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 36c81f32d7e8e98c2885f55244e5b12d3ca4cf1e43c1a724e488aea8086b4d45
Instruction ID: 0fede4bbd285df6194be11d0089554e364ca0ed6f48cce0ee28e8a9528bdc190
Opcode Fuzzy Hash: 36c81f32d7e8e98c2885f55244e5b12d3ca4cf1e43c1a724e488aea8086b4d45
Instruction Fuzzy Hash: 5A115A726083429BD704DF15E9A042BF7F6EB9A706F54692EE580E3212D335EC508B6A

Function 0218C227 Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15a07e94fb83b0f9fd33538d9d1ee1799bd0c59f59465bd23fd84dc6ea71173
Instruction ID: a35774bf880ea45a3419706e523a7b35fa09a3f530205dabd48cab9f131342a5
Opcode Fuzzy Hash: a15a07e94fb83b0f9fd33538d9d1ee1799bd0c59f59465bd23fd84dc6ea71173
Instruction Fuzzy Hash: 1F52C2326487118BC729EF18D4C027AB3E2FFC4318F19892ED9D697285E735A851CF92

Function 0040BFC0 Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15165873a2b71e9ad4aef63ef2515f51c890ce2bec2ceb65bd7d5d63dac0f0cb
Instruction ID: 8ca5f52accdc9143aef8896f108a10c71876bcd751686983a5eb443fd30660e4
Opcode Fuzzy Hash: 15165873a2b71e9ad4aef63ef2515f51c890ce2bec2ceb65bd7d5d63dac0f0cb
Instruction Fuzzy Hash: 7E529F31518311CBC725DF18D48026BB3E2FFD4314F298A3ED996A7385D739A856CB8A

Function 0218B717 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be52c68402c1a256dc0bff41ed4c6e5da89aba4ddac84e3b8cee7d09d710cb91
Instruction ID: fe82c52d3764d144065b3248230167a6236cd46670f3ea30852377af3907bab6
Opcode Fuzzy Hash: be52c68402c1a256dc0bff41ed4c6e5da89aba4ddac84e3b8cee7d09d710cb91
Instruction Fuzzy Hash: 2852F3B0948B848FE734EB24C0C47A7BBE1EF81318F14992EC5E646B86C379A585CF55

Function 0040B4B0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be52c68402c1a256dc0bff41ed4c6e5da89aba4ddac84e3b8cee7d09d710cb91
Instruction ID: 2a543fe0290e35dd774d49a35ab7b808e05b95325d1f41aa21e6dfa613f40ce0
Opcode Fuzzy Hash: be52c68402c1a256dc0bff41ed4c6e5da89aba4ddac84e3b8cee7d09d710cb91
Instruction Fuzzy Hash: 995280B09087888FE7358B24C4847A7BBE1EB91314F14493EC5D656BC2C37DA989879E

Function 02187617 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aebd196cfce2ece89693e8a3af266d99451e3254239792bf7d557356db20812
Instruction ID: 67abf9a739b3c60bb6ef6c5f63e07889c5ff8cc591441c1f7a09c06cd97f351f
Opcode Fuzzy Hash: 9aebd196cfce2ece89693e8a3af266d99451e3254239792bf7d557356db20812
Instruction Fuzzy Hash: 9C52C3355083458FCB15DF24C0D06AAFBE1BF88318F298A6DE8995B381D774E94ACF81

Function 004073B0 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aebd196cfce2ece89693e8a3af266d99451e3254239792bf7d557356db20812
Instruction ID: 1299278142d69064fa20501cc2947707d5ea86ed0659b469aa11ec982258ee42
Opcode Fuzzy Hash: 9aebd196cfce2ece89693e8a3af266d99451e3254239792bf7d557356db20812
Instruction Fuzzy Hash: 7052D37190C3458FCB15CF28C0806AABBE1BF85314F198A7EE89967381D778F945CB86

Function 02188017 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc72286782c76dc1b518893e36444785179378f8b2301ee3f0add1592b3c476
Instruction ID: 85fd6800eb434fc63653293655da0b97429aa272bc5be39355aa469974379b6f
Opcode Fuzzy Hash: 6cc72286782c76dc1b518893e36444785179378f8b2301ee3f0add1592b3c476
Instruction Fuzzy Hash: 073210B0554B188FC368DE29C5D062ABBF2BB45710B924A2ED6A787F90D736F844CF14

Function 00407DB0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc72286782c76dc1b518893e36444785179378f8b2301ee3f0add1592b3c476
Instruction ID: 61efba15a6eb25ad1034543c33e3361113fa73d3afab78e42815a8d0d2a0988b
Opcode Fuzzy Hash: 6cc72286782c76dc1b518893e36444785179378f8b2301ee3f0add1592b3c476
Instruction Fuzzy Hash: 92320370915B118FC328CF29C69052ABBF1BF85710B604A2ED6D797F90DB3AB845CB19

Function 0218A657 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdc42eeb92d643ba025e61c60c6b6b2c152b78bc3bcec359127e9f0bc94d57e
Instruction ID: 5ba295c98b9edab0c8c07d47b58f879a45ffc2cda8b3311f340573167bd3d382
Opcode Fuzzy Hash: 3cdc42eeb92d643ba025e61c60c6b6b2c152b78bc3bcec359127e9f0bc94d57e
Instruction Fuzzy Hash: D9F1DD356487418FC728DF29C8D066BFBE2AFC9204F08992EE4D587751EB75E804CB96

Function 0040A3F0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdc42eeb92d643ba025e61c60c6b6b2c152b78bc3bcec359127e9f0bc94d57e
Instruction ID: 58a25341c55a3b80564a6f3fd460fa8bad488cfbb2019d67dcfb717cc5f8fa03
Opcode Fuzzy Hash: 3cdc42eeb92d643ba025e61c60c6b6b2c152b78bc3bcec359127e9f0bc94d57e
Instruction Fuzzy Hash: 68F1E0366083418FC724DF29C88176BFBE2AFD9304F08892EE4C587791E679E855CB56

Function 00409AC4 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b084b93d18f5122eb4f37eec6fbd4d37e16d81bb93f817f437e21aadb76732
Instruction ID: 31cd3b0a7633fb710b89429b2bc56ded61296508807ad5e1714f2512d5ae2172
Opcode Fuzzy Hash: b7b084b93d18f5122eb4f37eec6fbd4d37e16d81bb93f817f437e21aadb76732
Instruction Fuzzy Hash: 2A02233520D380EFC714CF28D854A5FBBE1AF9A304F48886DF986873A2C675D958CB56

Function 00409130 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b04d311740c3a693510d137259d1953bdeb9af0456c45c6f26f121977fee93
Instruction ID: b2bb1137b2c262fe44042a2509ebdf908a7067687372834c765dcb93f4ac5d47
Opcode Fuzzy Hash: 79b04d311740c3a693510d137259d1953bdeb9af0456c45c6f26f121977fee93
Instruction Fuzzy Hash: 6CD16579618201CFD308CF28D85076AB7E1BF89319F09897DE88A87391D779DA49CF85

Function 021C89A7 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0d9516398d688d16a506a29d6e62ba6ad3c175a049fe8551667ded4b3a4f73
Instruction ID: f3af277b9128ca18546accd866cbd303e2e902f25194455761085971abbd69e0
Opcode Fuzzy Hash: ee0d9516398d688d16a506a29d6e62ba6ad3c175a049fe8551667ded4b3a4f73
Instruction Fuzzy Hash: 34B115B5A443404FD729DB28CC81B6FB7E6EFD5318F1A492CE99987340EB35D8048B96

Function 00448740 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38d465297857997a66cbd81480a98a747353c671aa88e59efa72fd24129981d
Instruction ID: 95ae740343870db962639aac20e96c13ca122ca98226fcd363cc888841663938
Opcode Fuzzy Hash: a38d465297857997a66cbd81480a98a747353c671aa88e59efa72fd24129981d
Instruction Fuzzy Hash: 9FB1C4B2A043408BF714EB29DC5176FB7E5EBC5318F08492EE985D7381EA38EC05875A

Function 0042F038 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777be3b012202c20f2d24fc21d88a83219a840c3de9a95746034cd2ee5c9bcba
Instruction ID: 3e124b1ee1e2fbb94c0108bd99818db20fcb92b5a624684b48bb233c73bebb9e
Opcode Fuzzy Hash: 777be3b012202c20f2d24fc21d88a83219a840c3de9a95746034cd2ee5c9bcba
Instruction Fuzzy Hash: B2B16931A08391CFE324CF38AC9035AB7E2AF96311F59867EE9E1472A2D774DC048B45

Function 0218B277 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0c86732349e253abbbf0d9b9b08fb7b6e8d0a6d37f13b63e92bce75656d0ff
Instruction ID: 1a09aa399041bf4d13b65cf0ac123210169428de28473497609eb3fc63f33799
Opcode Fuzzy Hash: bb0c86732349e253abbbf0d9b9b08fb7b6e8d0a6d37f13b63e92bce75656d0ff
Instruction Fuzzy Hash: 57C16AB29487418FC370DF28C886BABBBE1AF85318F09492DD5D9C7242E738A155CF42

Function 0040B010 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0c86732349e253abbbf0d9b9b08fb7b6e8d0a6d37f13b63e92bce75656d0ff
Instruction ID: 2bf9ac9d92d49db1f35f54c551e4b1d3b2bfac4e841633df1b0f5e6c6eea4945
Opcode Fuzzy Hash: bb0c86732349e253abbbf0d9b9b08fb7b6e8d0a6d37f13b63e92bce75656d0ff
Instruction Fuzzy Hash: E2C169B29187418FC320CF68C886BABB7E0EF85318F08492DD5D9D6342D778A555CB8A

Function 02185622 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93de646128c2a1e27bc7a35362298ad76ca911dd06d5cbe8f08a8ea0f9c388b8
Instruction ID: a12d9fdabaab0ba8437a4187675f1b298e17e8caddf192f6ca1b95e8c1123dda
Opcode Fuzzy Hash: 93de646128c2a1e27bc7a35362298ad76ca911dd06d5cbe8f08a8ea0f9c388b8
Instruction Fuzzy Hash: 449107B2A48385ABD7259E94C4C0326BBD3EFA121CF8F856DD9954B341E3B1C849CF41

Function 021855D7 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bcdd76c8f98ce520aa1881e03f3f460d994fdbee877921ba7cb16768a7a411
Instruction ID: dbef4d6f9b2030ddf3c02415571bee0ccdf5846851d5e1a78ba664398879cb93
Opcode Fuzzy Hash: 89bcdd76c8f98ce520aa1881e03f3f460d994fdbee877921ba7cb16768a7a411
Instruction Fuzzy Hash: 8F81E4B65487829BD7259E19D4C0326BBE3EFE1218F9FC56ED4694B241E7B1C808CF41

Function 021B9D67 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56e68389801fe303f6f674034ac13fba2831c4c6cc46526df2bda9e0ac50255
Instruction ID: 5ea90ca9acce224d43f1b588f131ea8cb34a3d8b416aab4b9f8ded82fefe8cd8
Opcode Fuzzy Hash: a56e68389801fe303f6f674034ac13fba2831c4c6cc46526df2bda9e0ac50255
Instruction Fuzzy Hash: 6E611737A8999147C71A5E7C4C552E8AE370F97234B3F836AEAB55B3D1C7268C02C790

Function 00439B00 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696d2aa435a88c5cb9f62c8bb66cf98639590cd84ba3f79e2120987dea59b3f6
Instruction ID: 03c335b696acbfa1222c85735cd042e192cda2d6d7cb1635e12136a9917dd72d
Opcode Fuzzy Hash: 696d2aa435a88c5cb9f62c8bb66cf98639590cd84ba3f79e2120987dea59b3f6
Instruction Fuzzy Hash: 88616933A0959047C7145E3C5C522B9AA571BDB334F3EA36BD8B15B3D1D5AE4C02839A

Function 021A2027 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a791a4865b2b10de04ca526748692eef6ba2820f3cd87d1b616ded78406b9dc
Instruction ID: 8fce321f0ea324822c86c10b563ec9ecf6c5bb938366b75fa2b1484ab3bc7688
Opcode Fuzzy Hash: 3a791a4865b2b10de04ca526748692eef6ba2820f3cd87d1b616ded78406b9dc
Instruction Fuzzy Hash: 255169B85483408BC714EF14C4A1A2ABBF0FF96358F048A4DF8D59B3A0E335C945CB96

Function 0043F1E0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31eb65ba5d94ac51842e776ac950774c660abfcd452dc49c942fc67d509d6191
Instruction ID: d89d67e6857123330a75621b11ed0d4d2d8cbfec3bcc0f746fb68ba78aa451ae
Opcode Fuzzy Hash: 31eb65ba5d94ac51842e776ac950774c660abfcd452dc49c942fc67d509d6191
Instruction Fuzzy Hash: 9D515DB19087548FE314DF69D49435BBBE1BBC9318F144A2EE4E987390E379D6088B86

Function 021C0A47 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44507f9f604c2c1d37b6d5e06ed740d9bbacf44789427aedc9e6beee1ee453db
Instruction ID: 23871603381a3d78ae54b831c79c3d442ce872f1f739438ddd16feb6f0b840ef
Opcode Fuzzy Hash: 44507f9f604c2c1d37b6d5e06ed740d9bbacf44789427aedc9e6beee1ee453db
Instruction Fuzzy Hash: 8C5148796487948FC728CA28C4907BFB7E2EFDA204F19895DE4D68B386D335E944C781

Function 004407E0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44507f9f604c2c1d37b6d5e06ed740d9bbacf44789427aedc9e6beee1ee453db
Instruction ID: 1f599e4a3158c74960d010f2bc0623c05adc229359004241147c85c12db3a7a7
Opcode Fuzzy Hash: 44507f9f604c2c1d37b6d5e06ed740d9bbacf44789427aedc9e6beee1ee453db
Instruction Fuzzy Hash: B151677160C7944FE724DA28C4906BBF7E2EBCA304F05891EE5D68B386D239ED11C786

Function 0219DFBC Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3392f45c507c747f5b1d8c00030def1c78b4c31358d16bacb3bc8ef3b41f33c
Instruction ID: bfb2af36abd5c76a22b4b42d4e727d3f12aab71fa192ba66bd46206766682186
Opcode Fuzzy Hash: d3392f45c507c747f5b1d8c00030def1c78b4c31358d16bacb3bc8ef3b41f33c
Instruction Fuzzy Hash: 1341FFB0A802018BCF24DF18C892BB773B1FF56724F099219E8529B3D0F735A101CBA1

Function 0041DD55 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3392f45c507c747f5b1d8c00030def1c78b4c31358d16bacb3bc8ef3b41f33c
Instruction ID: c3eb6362ce0c75d13d700f485dc85ea6da2151878511bd4321f44dde0745d3df
Opcode Fuzzy Hash: d3392f45c507c747f5b1d8c00030def1c78b4c31358d16bacb3bc8ef3b41f33c
Instruction Fuzzy Hash: 4241FFB0D007118BDB24DF18D892BB773B1EF66365F098209E8469B3D1F738A580C3A9

Function 021AEC50 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e286a0d8a28484f591e3c1c0bbc768d422d129cc48bf26c0a4e4f4a91fdd2c5c
Instruction ID: 7c0b7dac29d9e92af4e7f82039fcf632f478a3181eb1cee779f0d06a6d1dba8c
Opcode Fuzzy Hash: e286a0d8a28484f591e3c1c0bbc768d422d129cc48bf26c0a4e4f4a91fdd2c5c
Instruction Fuzzy Hash: CB5156B2A047094BC718CE2CDC5036AB3D2ABD9200F48C63DD99ACB381EF70E901CB81

Function 0042FAA0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f59a72204999f12b57d7a6d56c558054d4f9ffdf3d7360ab34c8f025ffc8da
Instruction ID: 834d04fe016ef7ba85265e29078afe447fec19cf065d57abbf3f5259a11ec16b
Opcode Fuzzy Hash: 87f59a72204999f12b57d7a6d56c558054d4f9ffdf3d7360ab34c8f025ffc8da
Instruction Fuzzy Hash: 9C51A975A083418BD7209F14E81076BB7F0BF86344F94482EE9C897391EB399959CB9B

Function 02185E87 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6141ba95169e291fb0706b00e72ac7fb6e807640e546cc20bd0f1c039d6bc61
Instruction ID: 7c48df1cd995357ebe92ab8b02da6c3a829ed30865b0487e6585c97df96d3381
Opcode Fuzzy Hash: d6141ba95169e291fb0706b00e72ac7fb6e807640e546cc20bd0f1c039d6bc61
Instruction Fuzzy Hash: EE51B4759442409FC714EF18C8C092ABBA6FF85328F56466CF8959B391DB31EC46CF92

Function 00405C20 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129904f85c307e3588cd884dafb5844055e48e4276fee2c0a2a473afeaa7381d
Instruction ID: 800948cd5643afb1633654617254b82d61c8276f70e6524d9fc1444306718457
Opcode Fuzzy Hash: 129904f85c307e3588cd884dafb5844055e48e4276fee2c0a2a473afeaa7381d
Instruction Fuzzy Hash: 8A51BFB5A087009FD7149F14C480927B7A1FF85324F19467EE899AB392D634ED82CFDA

Function 021AFD20 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f754e57b2a33262fce16e5423bd5d86c664343bae766368ac6055291173af9
Instruction ID: 6d729faa470135f0b98bec328c165facd454fe7f877d9ab5d165a0e04db30348
Opcode Fuzzy Hash: 80f754e57b2a33262fce16e5423bd5d86c664343bae766368ac6055291173af9
Instruction Fuzzy Hash: 33419A789483818BC720DF14D410B6AB7F1BF86744F54491CE8C8AB391EB369956CBAB

Function 021A9927 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219e0ba5dac7627202dd42f0dd9fdee3cf7fd7e203a04a3204457abd9438207f
Instruction ID: 1f4ab4115497723fac577f3ba4adf649df845db791f07972529dec259ba7e1ef
Opcode Fuzzy Hash: 219e0ba5dac7627202dd42f0dd9fdee3cf7fd7e203a04a3204457abd9438207f
Instruction Fuzzy Hash: B75110B414C384AFD300EF14C894A1EBBF8AB96684F508A0DF0D56B251D375D944CFA3

Function 004296C0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219e0ba5dac7627202dd42f0dd9fdee3cf7fd7e203a04a3204457abd9438207f
Instruction ID: 0925ad793c1136a2802a404586ed31f0ee07a2f5848fa9ad6f03dcbcf2e6d2b7
Opcode Fuzzy Hash: 219e0ba5dac7627202dd42f0dd9fdee3cf7fd7e203a04a3204457abd9438207f
Instruction Fuzzy Hash: 1A511FB451C384AFD200EF15E980A1EBBF8AB96748F848A0DF0D55B251D379D904CFA7

Function 0041518E Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c702810b4918d153a208cc470cd7352f5762b9d1db81313dbb29e59251792305
Instruction ID: 52a620e33f2925f96ab70c1619b5e5c7130e5b592a62fa1a6b5a43710b3232e2
Opcode Fuzzy Hash: c702810b4918d153a208cc470cd7352f5762b9d1db81313dbb29e59251792305
Instruction Fuzzy Hash: F53168B4508341DFD300EF21E855B5FB7F8EF86305F04482EF98186292E339D4098B2A

Function 02191867 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c1cacea7c292397c36a41f47572ec33d5cdbddb8ff198c048a63802585a0d1
Instruction ID: a28876a6e117904f03641e32906b92fa5c2d3ebc1a19493d3f088cd9b55df457
Opcode Fuzzy Hash: 21c1cacea7c292397c36a41f47572ec33d5cdbddb8ff198c048a63802585a0d1
Instruction Fuzzy Hash: 4941F072B0C3611FD318CE3A889012ABBE2ABC5210F19C73DF0AA87394E774C549E751

Function 00411600 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c1cacea7c292397c36a41f47572ec33d5cdbddb8ff198c048a63802585a0d1
Instruction ID: bfe5cd5187ccc1ec628e516f862eecb2a9a4cff56f39fb33956bd3dde7b4fba7
Opcode Fuzzy Hash: 21c1cacea7c292397c36a41f47572ec33d5cdbddb8ff198c048a63802585a0d1
Instruction Fuzzy Hash: 87411472B0C3604FD318CE3A889016ABBD2ABC5210F19C73EF1A6877E4E679C945D755

Function 021B48ED Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611dacaaa0612630d34dcf38e3afbd3659d4b5812daba8263ff291e752963b7f
Instruction ID: ae7521ac067805033f309aa4b7106c591df9553962ca57f1ecae2bb2931d1798
Opcode Fuzzy Hash: 611dacaaa0612630d34dcf38e3afbd3659d4b5812daba8263ff291e752963b7f
Instruction Fuzzy Hash: CF418C74140B809EEB268F35C460BF6BBF1AF0A304F94889DD5E68B662CB36F541DB14

Function 00437110 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa595f52097eddb0803ef205c00d6601ffbae381ba9b3012eee6b7bf647ea68
Instruction ID: df6959280d82a99e39c9dc27484d38c5c608e5d3ee414f297b97f8b4e65d43c1
Opcode Fuzzy Hash: 9aa595f52097eddb0803ef205c00d6601ffbae381ba9b3012eee6b7bf647ea68
Instruction Fuzzy Hash: AE41E6B0905B00AFD360EF3DC946783BEE4EB09314F144A5DE8AACB381D375A515CB96

Function 021A11F1 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e3edc58eafa3012c05226e79aeae4dd4f04ec3cfebab5981a45c95a0811135
Instruction ID: 26053bdb08024d354f93f820b453be8e315cf1c1cf4e373d8b477e69dcea1c8e
Opcode Fuzzy Hash: 91e3edc58eafa3012c05226e79aeae4dd4f04ec3cfebab5981a45c95a0811135
Instruction Fuzzy Hash: D84104756083909FD7718F5488507EFBBF2AB8A305F540A2DD8DC97251CB325885CF82

Function 02184DC7 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2839dd83b882161fe1490b87262a236430e7447b945c1236abaa5d79ea2a96
Instruction ID: 162248f32e548d4109c9ea8c6ed4165a7256bd86bc43a505baa75d9414afbd75
Opcode Fuzzy Hash: fc2839dd83b882161fe1490b87262a236430e7447b945c1236abaa5d79ea2a96
Instruction Fuzzy Hash: 453188326846029FD715AE58C8C0A7BB7E1EF84319F29892DE899DB341DB35DC52CF42

Function 00404B60 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608b37dfba14305b93db33815757c93df7d2eb92e9354bda027161d552915dbc
Instruction ID: b276c89fb37e417b112e9a1432116ee7dab3cda9556e7031b28351ec34740547
Opcode Fuzzy Hash: 608b37dfba14305b93db33815757c93df7d2eb92e9354bda027161d552915dbc
Instruction Fuzzy Hash: A531D7756182009BD7109E19D8C0B27B7F1EFC4318F14497EE999AB381D239ED42CB8A

Function 021B3DBE Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742b87774ab2404c9c60e853e4db015dc29497cd410f66677d4b471621344a66
Instruction ID: 7bd229f6d48470717343101cc16b5160be307f86760f3efffd00fef1b29d5937
Opcode Fuzzy Hash: 742b87774ab2404c9c60e853e4db015dc29497cd410f66677d4b471621344a66
Instruction Fuzzy Hash: 3331A264445B828ED7228F348460BF7BFF0AF23249F18199DD0E79B683D726A115CF69

Function 021B3DBB Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297b7bbaac5c4a1f48932f62893e4615be9aae8fe4e38a3ece68eb81fecaf336
Instruction ID: 54be07d3c62ca92ac5c48761dd0582a8cc1d6e1be15812d6215ac77a25aa1497
Opcode Fuzzy Hash: 297b7bbaac5c4a1f48932f62893e4615be9aae8fe4e38a3ece68eb81fecaf336
Instruction Fuzzy Hash: 84319564444B828ED7228F348460BF7BBF0AF13249F58189DD0F797583D726A115CF69

Function 0218FB30 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3af18a7d13aae6a74c1f1f1c3cfa75be34b19c428252623b02dbc9bc044a7a
Instruction ID: cb7eac06da83f7499b9a980870633e1c5dfc5d737b720bb5c0f210c16b00be00
Opcode Fuzzy Hash: 4d3af18a7d13aae6a74c1f1f1c3cfa75be34b19c428252623b02dbc9bc044a7a
Instruction Fuzzy Hash: 7C21A270A813848BCB219FA4C0A07EDBFF1AF5B225FAC6448D4D1B7661D3359486CF64

Function 021BBE17 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f7ec3a14dc8f63d1bf3c552701f091b218b00e814cb9dff6c2d6ce51cb6c8ad9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 0111C637A491E04DC3178D3C84505A5FFB30E93538B298399F8F99B6E6D7228E8A8351

Function 0043BBB0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f3d13c4f77b678f3f5ad4c70681dfe8afdb1ce760f55218f4420d384e65a605f
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 89112C336082D80EC3218D3C8440665BF934A97234F59539EF4B89B2D6DB2ACD8B8399

Function 021B1987 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69939d62db56e3580aa246e39de08eb5efa63df3ce1e387ba072023641ee5e9d
Instruction ID: 18bb21c72597c813a38ec939724aab0de7e35440af6bbf972f3a5a8b8c405149
Opcode Fuzzy Hash: 69939d62db56e3580aa246e39de08eb5efa63df3ce1e387ba072023641ee5e9d
Instruction Fuzzy Hash: 3201B5F27417816BDB26BE5184D0B77B6B96F4B704F0A462CC84D9B200EB72E805CAE1

Function 00431720 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689434a6e26603a0695f01cf84fccc129b07ef7bb0e5c58eae2955e3fe6ef262
Instruction ID: 809c4b8c5f4d90910c120ffc8bea963b43a288cc7962883a6e400ac8cb8d82d8
Opcode Fuzzy Hash: 689434a6e26603a0695f01cf84fccc129b07ef7bb0e5c58eae2955e3fe6ef262
Instruction Fuzzy Hash: 8201B1F570030187E720AF11E4C272BB2B8AF88748F0C153EE80957346DB79EC0586A9

Function 0044716D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d12d1adf075babf471c10f2bc2ad8607f47991889b014188b00980cf6b31f3
Instruction ID: 228517455a837c86bd3de3dc643e4236668c8363ac2aa5d5ed890d384a3c7814
Opcode Fuzzy Hash: b5d12d1adf075babf471c10f2bc2ad8607f47991889b014188b00980cf6b31f3
Instruction Fuzzy Hash: 9E11AF7550C3408BE200DF64D69091EBBF6ABAAA45F200C2DF68187712C33ADC46CB9A

Function 00420F8A Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d617ffe7d5c95ea20ab83b84e9b735c0169c4a1dce0e854e5ea2c9dadd475d
Instruction ID: e0267410d78486dba0c77835f341638f85eeac581fc42256d1c37bbad7741185
Opcode Fuzzy Hash: 87d617ffe7d5c95ea20ab83b84e9b735c0169c4a1dce0e854e5ea2c9dadd475d
Instruction Fuzzy Hash: 5B21F475A083909FD771CF549840BEFBBF1AB8A305F850A2DE8D957251CB329981CB86

Function 0218FAA2 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ad22aff057236c9dd6843f559d809e879b09401e89135e7d8035d75c678af1
Instruction ID: 72eaeb61bb884837a493e2d13cb3ae2345f7f0c99f22916379c154b2a7e964b3
Opcode Fuzzy Hash: 22ad22aff057236c9dd6843f559d809e879b09401e89135e7d8035d75c678af1
Instruction Fuzzy Hash: BB01B170B80280CFCB219F68D4A07ADBBF1AF4B225FAC6459D4C2E7650D3318886CF65

Function 021872D7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1fb4f72ceadc0dfbd97c0dbf4fc3d104c1246a9a268a6091118f86cb1cae9b
Instruction ID: 729656c39c5056286e2df4453f6e242b97aa4c08b7941bbe57340ce74436b885
Opcode Fuzzy Hash: 8b1fb4f72ceadc0dfbd97c0dbf4fc3d104c1246a9a268a6091118f86cb1cae9b
Instruction Fuzzy Hash: 31F0F03B7A961A0BD720DDB9ECC0A6BF396D7C6108B1D403CED41C3341DA65E80A96E6

Function 00407070 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1fb4f72ceadc0dfbd97c0dbf4fc3d104c1246a9a268a6091118f86cb1cae9b
Instruction ID: 0881e27a7d94786878d36033187f5f8f48ccf74c1cb2524e580698b1175071d2
Opcode Fuzzy Hash: 8b1fb4f72ceadc0dfbd97c0dbf4fc3d104c1246a9a268a6091118f86cb1cae9b
Instruction Fuzzy Hash: A0F0F63BB6931A07D710CD79ECC0A67B396D7C5245B1D413DE940D3341D47AFC0992A9

Function 02180D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: d67b9e7fab7520545b681291c8a6805b0b5d10f613be528371692bcb0754d33a
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 4D01F7726506088FDF21DF20C855BAB33E5FB89305F1541A4D90697241E370A8458F80

Function 02193DE3 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4d8a037c957590e93bdc69d912da8838a2c4143d311182997f493f8a113886
Instruction ID: 07eccdce23de5f25f01ef2bf49b7b650d51d05a885380a7ad3c29dfe945e878a
Opcode Fuzzy Hash: 0b4d8a037c957590e93bdc69d912da8838a2c4143d311182997f493f8a113886
Instruction Fuzzy Hash: 17F019709482809BD305EB94D890E2FFBF9AF96700F54196CE1C097252D77AD914CB6B

Function 00413B7C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4d8a037c957590e93bdc69d912da8838a2c4143d311182997f493f8a113886
Instruction ID: 3824444f2fea6a38aa224781555283573b27659997e86fc043f4af1527c16adb
Opcode Fuzzy Hash: 0b4d8a037c957590e93bdc69d912da8838a2c4143d311182997f493f8a113886
Instruction Fuzzy Hash: E7F0697090C3808BD305EB95D855E2EFBF8EF96305F44086DE1C097252E379EA188B6B

Function 0219B597 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c332212aec59577850e0a7367b5fbd780d732cb76fb814b134734f21102cc390
Instruction ID: 4a55a062d54a1a4ebe48d6d511bb831a1e3de71b33cdde5cc77366d7b0001d64
Opcode Fuzzy Hash: c332212aec59577850e0a7367b5fbd780d732cb76fb814b134734f21102cc390
Instruction Fuzzy Hash: C3F05CB16482506BEF22C944ACD4F37BB9CCBC7318F151929F84557201E3619441C3E5

Function 0041B330 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52042383ae9116ef5cef2de8b578cd95b58dcf8ae2945c0acd97e50c34331e2f
Instruction ID: b90808f0e45e1e089d553ff27c91ba6f2e0ad3c2caebfdd83e04d91715e99d22
Opcode Fuzzy Hash: 52042383ae9116ef5cef2de8b578cd95b58dcf8ae2945c0acd97e50c34331e2f
Instruction Fuzzy Hash: 2AF0ECB160415497DB2289559CC0FB7FB9CCB8B354F190416EC9557202D2655894C3E9

Function 021953F5 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d80f5f5cbc2b6c1f41be0a22bb8918c6b7b56b7c55ebd358e6059de2f9bed6
Instruction ID: 38f6372dd55e72af92ee371d7702f51bbbcb02e32b5f22692f12ee8a04429e08
Opcode Fuzzy Hash: d1d80f5f5cbc2b6c1f41be0a22bb8918c6b7b56b7c55ebd358e6059de2f9bed6
Instruction Fuzzy Hash: 29F03A7051C3809BD305BB94D855A2EF7FAAF56705F441D2CE0C1A7252E37AD4248F57

Function 02190730 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92f60be16899d7b982113b092b7fb7a0d6c2427454bccfa5bde087621659658
Instruction ID: 8eb305e68735d0c2aa912fb6319d335da25c95eb342c176e4f028144d8070ebc
Opcode Fuzzy Hash: f92f60be16899d7b982113b092b7fb7a0d6c2427454bccfa5bde087621659658
Instruction Fuzzy Hash: C8F06579605700DFD3168F90CC94CA2B7B1FB89309301853DE68287136EA71E908CB54

Function 0044711B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae4b3d176fe3d9e6cfb88a54c04a35cb48f5a0a8002072fee7359236cb8bd63
Instruction ID: 47a14b461e903dbeb014341540f750bbb98732ec7d8519a36154f73ef99dc437
Opcode Fuzzy Hash: eae4b3d176fe3d9e6cfb88a54c04a35cb48f5a0a8002072fee7359236cb8bd63
Instruction Fuzzy Hash: 14F0927491C3408BE204DF64D69091EFBF2AB9BA05F500C6DF68593312C326DC45CB9A

Function 00441D40 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: ede5682b8c28294e075f40f1dacc9e23737c0304b007f35a3b59bcb766d625e6
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 5FD0A7B1A0832146AB748E19E400977F7F0EAC7B11F49955FF586E3268D334EC81C2AD

Function 0218EFCD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a795f8ef5e652ea344a094bc731230f83290aac36da0d4858e8841605762733
Instruction ID: 6be8ca2f6da8d2b310ab95312a60a4c04fc12b8e0d9fe95bdd7abdb3a2d00f21
Opcode Fuzzy Hash: 7a795f8ef5e652ea344a094bc731230f83290aac36da0d4858e8841605762733
Instruction Fuzzy Hash: FAC012B2C00218ABCB008FD0DC44BECFBB8EB0E310F102420F508F3110C230D4408B18

Function 021AD14E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61abe6b1e43f8342184777cfbc106182687a128398c07e3592712cafec1c730c
Instruction ID: bcd1d81db3e2e823662b9eb5de2562de4617df439db1d271cfc3f90a134be2fb
Opcode Fuzzy Hash: 61abe6b1e43f8342184777cfbc106182687a128398c07e3592712cafec1c730c
Instruction Fuzzy Hash: 61900220D482108691048E149640470E278530B103F103815950CF3412C254D400451C

Function 0218F922 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339bbb744fbb441b37558d246a09817203e9089019802e3a16bab19ea14e63aa
Instruction ID: 9953a02bc4ea1bb9e157bdff1bb8d0907a77f1db5771fec45f97fa64defb1131
Opcode Fuzzy Hash: 339bbb744fbb441b37558d246a09817203e9089019802e3a16bab19ea14e63aa
Instruction Fuzzy Hash:

Function 021B6F89 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 021B6F92
VariantInit.OLEAUT32 ref: 021B6F9E

Strings

1, xrefs: 021B6FBA
=, xrefs: 021B6FCA
>, xrefs: 021B6FFE
3, xrefs: 021B6FC2
9, xrefs: 021B6FDA
0, xrefs: 021B6FE6
!, xrefs: 021B7006
;, xrefs: 021B6FE2
!, xrefs: 021B6FF6
?, xrefs: 021B6FD2

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: !$!$0$1$3$9$;$=$>$?
API String ID: 2610073882-4017061420
Opcode ID: cda46e692248261d225455bfbd383da656a6067b642fcb8ee50a9e8c432748ed
Instruction ID: a5e0409b42cb21aa24b087aa2dba41891a286c847f0c2cd83e3dbd4c8f574260
Opcode Fuzzy Hash: cda46e692248261d225455bfbd383da656a6067b642fcb8ee50a9e8c432748ed
Instruction Fuzzy Hash: 674126300087818ED722DF3C9488606BFA0AF16214F088A8DE8E64F7D6C775E605CB62

Function 00436D22 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00436D2B
VariantInit.OLEAUT32 ref: 00436D37

Strings

3, xrefs: 00436D5B
!, xrefs: 00436D8F
1, xrefs: 00436D53
9, xrefs: 00436D73
0, xrefs: 00436D7F
;, xrefs: 00436D7B
>, xrefs: 00436D97
?, xrefs: 00436D6B
=, xrefs: 00436D63
!, xrefs: 00436D9F

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$!$0$1$3$9$;$=$>$?
API String ID: 2610073882-4017061420
Opcode ID: cda46e692248261d225455bfbd383da656a6067b642fcb8ee50a9e8c432748ed
Instruction ID: dce76f18d0c2847a660f32665c65f5c980a7f4d88856c9310731f7cf479fe7be
Opcode Fuzzy Hash: cda46e692248261d225455bfbd383da656a6067b642fcb8ee50a9e8c432748ed
Instruction Fuzzy Hash: 754106701087818FD722DF3C9588606BFA0AB16314F488A9DD8E64F7D6C774E605C762

Function 021B6182 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 78COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 021B618E
VariantInit.OLEAUT32 ref: 021B619A

Strings

?, xrefs: 021B61CE
3, xrefs: 021B61BE
;, xrefs: 021B61DE
>, xrefs: 021B61FA
9, xrefs: 021B61D6
=, xrefs: 021B61C6
!, xrefs: 021B61F2
1, xrefs: 021B61B6
!, xrefs: 021B6202
0, xrefs: 021B61E2

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: !$!$0$1$3$9$;$=$>$?
API String ID: 2610073882-4017061420
Opcode ID: 348c8edf02b1c46880617a20ea4cde773ba569d30a26ddf398e4fd9ad9377b71
Instruction ID: d11e884aa42a0d21e3e5d825941d03b07593176cb5694892d11a02fb9ee29e78
Opcode Fuzzy Hash: 348c8edf02b1c46880617a20ea4cde773ba569d30a26ddf398e4fd9ad9377b71
Instruction Fuzzy Hash: 5741E7704097808ED726CF6C9584746BFE0AF26224F488A8DD8E54F79BC365E606CB62

Function 00435F1B Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 78COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00435F27
VariantInit.OLEAUT32 ref: 00435F33

Strings

9, xrefs: 00435F6F
?, xrefs: 00435F67
>, xrefs: 00435F93
!, xrefs: 00435F8B
=, xrefs: 00435F5F
3, xrefs: 00435F57
1, xrefs: 00435F4F
0, xrefs: 00435F7B
!, xrefs: 00435F9B
;, xrefs: 00435F77

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$!$0$1$3$9$;$=$>$?
API String ID: 2610073882-4017061420
Opcode ID: 348c8edf02b1c46880617a20ea4cde773ba569d30a26ddf398e4fd9ad9377b71
Instruction ID: bd7fa2d9b3d987461a1fb8d7b0d277e8894d75febd5d938405cb1f81150e01dc
Opcode Fuzzy Hash: 348c8edf02b1c46880617a20ea4cde773ba569d30a26ddf398e4fd9ad9377b71
Instruction Fuzzy Hash: C841E930109780CED726CF6C9584706BFE06B16324F488A8EE8E54F7D7C765D606CB62

Function 021B751A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 021B7523
VariantInit.OLEAUT32 ref: 021B752F

Strings

~, xrefs: 021B75B5
*, xrefs: 021B7595
2, xrefs: 021B7575
3, xrefs: 021B7565
-, xrefs: 021B757D

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: *$-$2$3$~
API String ID: 2610073882-712268440
Opcode ID: 181e109783da7289cc71976f8fc4f3b3bc7cd2bc1eac37b6c41ad2700ea7520d
Instruction ID: ce3c22d022247ef6ffc6a2164046117e960767111fcd3c7521264c75e8816671
Opcode Fuzzy Hash: 181e109783da7289cc71976f8fc4f3b3bc7cd2bc1eac37b6c41ad2700ea7520d
Instruction Fuzzy Hash: 3341E570108B818ED726DF3C8588746BFE0AF26214F088A9CD8E98F396C775D515DB66

Function 004372B3 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004372BC
VariantInit.OLEAUT32 ref: 004372C8

Strings

*, xrefs: 0043732E
3, xrefs: 004372FE
-, xrefs: 00437316
~, xrefs: 0043734E
2, xrefs: 0043730E

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: *$-$2$3$~
API String ID: 2610073882-712268440
Opcode ID: 181e109783da7289cc71976f8fc4f3b3bc7cd2bc1eac37b6c41ad2700ea7520d
Instruction ID: 60cbd62482cf228be9b6e719d21a7a82e449c946974cc26fe90643ebd4c431bc
Opcode Fuzzy Hash: 181e109783da7289cc71976f8fc4f3b3bc7cd2bc1eac37b6c41ad2700ea7520d
Instruction Fuzzy Hash: 8F410770108B81CED721DF3C8588706BFE0AB26214F088A8DD8E98F397C775D515DB66

Function 00412763 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 300COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(910F9FD9,00000104), ref: 00412BB0

Strings

7, xrefs: 00412838
GD, xrefs: 00412770
XY, xrefs: 00412AD8
F?>1, xrefs: 00412A36
s{, xrefs: 004129A7

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DirectorySystem
String ID: 7$F?>1$GD$XY$s{
API String ID: 2188284642-1708563726
Opcode ID: fc0f454941e73d89c8600b02f15ed39ee35adba4237271d2f7a6d66bb47eb516
Instruction ID: 62ad8892d7640dbba1527e93f85876fe2800d594e9350e4a7a6b89632e521fd2
Opcode Fuzzy Hash: fc0f454941e73d89c8600b02f15ed39ee35adba4237271d2f7a6d66bb47eb516
Instruction Fuzzy Hash: 1CB18AB400C3808ED7708F24C494BEFBBE5AB9A308F14496EE8D89B252D7758589CF57

Function 021B9FD7 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 021B9FFB
GetWindowLongW.USER32 ref: 021BA02A
GetClipboardData.USER32 ref: 021BA03D
CloseClipboard.USER32 ref: 021BA140

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: 4804f38a6576cf7ba758ddc8dfb5b7c6f1161789c09feb3ee5e077d5cdfde1b2
Instruction ID: 7ca1a8032e68ac828bb08debefdf8a8511098b8e186da6a85ca68d6e60cb2857
Opcode Fuzzy Hash: 4804f38a6576cf7ba758ddc8dfb5b7c6f1161789c09feb3ee5e077d5cdfde1b2
Instruction Fuzzy Hash: 5041B4B49087858FD721AB7CD8483AEBFF1AF16220F058A6CD4E6472D1D7349545CBA3

Function 0043FF7B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043FFCB
SysAllocString.OLEAUT32 ref: 00440087

Strings

<;, xrefs: 00440033
=>?, xrefs: 0043FF83
13, xrefs: 0043FFA3, 0043FFAB

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocString
String ID: <;$13$=>?
API String ID: 2525500382-233072664
Opcode ID: eadfb38759a15d6bf80d1e0cf7a58bb9c6127851ff1dfacb242367057db8f5d2
Instruction ID: aef27eaaddc37be085e33d94480df1b121f3fdb86c47149d4cfce4d70e5ec3ca
Opcode Fuzzy Hash: eadfb38759a15d6bf80d1e0cf7a58bb9c6127851ff1dfacb242367057db8f5d2
Instruction Fuzzy Hash: 3A310CB410E380AFD310AF59E984A1FBBF5EB96705F90191EF5C18A212C37A8815CB67

Function 0218D417 Relevance: 6.2, APIs: 4, Instructions: 168threadCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0218D428
GetCurrentThreadId.KERNEL32 ref: 0218D43D
GetCurrentProcessId.KERNEL32 ref: 0218D443
ExitProcess.KERNEL32 ref: 0218D617

Memory Dump Source

Source File: 00000000.00000002.2424782929.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2180000_file.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID:
API String ID: 1029096631-0
Opcode ID: c0e1b895e2e72f73dc8955270e6ecdde58eb03a2be26a69b02c4ddbf36745924
Instruction ID: 1588f71720387a5aad27fc4080215a7d4770d3a9682ac955b7cf3b113784869a
Opcode Fuzzy Hash: c0e1b895e2e72f73dc8955270e6ecdde58eb03a2be26a69b02c4ddbf36745924
Instruction Fuzzy Hash: 5241237044C380ABD701BF69E584A1EFBF6AF66649F648C1CE5C497291C33AD4108FA7

Function 0043A888 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A8D6
GetSystemMetrics.USER32 ref: 0043A8E5

Strings

, xrefs: 0043A9B9

Memory Dump Source

Source File: 00000000.00000002.2424256288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2424256288.000000000045E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 65cae8f6cdf4aa0ee36dce3bf563fb2e0777f3d215215006cc2803287500b777
Instruction ID: aff40aa290a2da8482ed65553a9083856d3f095cad100f3f2e2c159a29b72631
Opcode Fuzzy Hash: 65cae8f6cdf4aa0ee36dce3bf563fb2e0777f3d215215006cc2803287500b777
Instruction Fuzzy Hash: 2B519EB4E142089FDB40EFADE981A9DBBF0BB48310F118569E898E7350D734AD45CF96

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_b74f308923c8e8441a81d87f1d6d177acdd8a4_85207d7d_3f7ce61f-b630-4548-969c-0704773cacc8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_2f6dbba0-17a5-4a1a-8cb9-77733719e7ba\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_40863313-8c37-4cc6-94d9-423ab9d146ca\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_787f3a4b-fbba-4f88-bfc1-e8c5ed65ad86\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_7d989db4-cfd3-48a7-9c97-e7906e6376f5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_f0f65fa3-ef24-4b74-abe3-6938cc277839\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_f685cb8d-656a-4568-bf4b-035c02b730f9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8932.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER89C0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A2E.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C6E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CCD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D0D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F4E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F6E.tmp.xml

Windows Analysis Report
file.exe