Edit tour

Windows Analysis Report
fASbbWNgm1.exe

Overview

General Information

Sample name:	fASbbWNgm1.exe renamed because original name is a hash value
Original sample name:	ac06141a8a10f4f82e8a3959bc903b0e.exe
Analysis ID:	1527260
MD5:	ac06141a8a10f4f82e8a3959bc903b0e
SHA1:	0b0517ee4e2c70fac223c128279efe9674c2ea5c
SHA256:	018a06629d08e98974d3e8685e93e5d3992b5690dfec9c4bb12db31d17bda187
Tags:	exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

fASbbWNgm1.exe (PID: 5132 cmdline: "C:\Users\user\Desktop\fASbbWNgm1.exe" MD5: AC06141A8A10F4F82E8A3959BC903B0E)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5836 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["gutterydhowi.shop", "reinforcenh.shop", "vozmeatillu.shop", "fragnantbui.shop", "offensivedzvju.shop", "ghostreedmnu.shop", "drawzhotdog.shop", "stogeneratmns.shop"], "Build id": "H8NgCl--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:29.274582+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49715	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:29.274582+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49715	104.21.53.8	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:26.847614+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.6	63557	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:26.859158+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.6	52783	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:26.717636+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.6	50070	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:26.810859+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.6	55427	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:26.824298+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.6	62392	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:26.881547+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.6	55584	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:26.869740+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.6	56877	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T22:10:26.835603+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.6	52131	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: 3.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["gutterydhowi.shop", "reinforcenh.shop", "vozmeatillu.shop", "fragnantbui.shop", "offensivedzvju.shop", "ghostreedmnu.shop", "drawzhotdog.shop", "stogeneratmns.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for submitted file

Source: fASbbWNgm1.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Source: fASbbWNgm1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49715 version: TLS 1.2

Source: fASbbWNgm1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\rje\tg\kdsmt7\obj\Release\ojc.pdb source: fASbbWNgm1.exe
Source:	Binary string: c:\rje\tg\kdsmt7\obj\Release\ojc.pdbX source: fASbbWNgm1.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	3_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	3_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	3_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_004109FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	3_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	3_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_0040ED69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea edx, dword ptr [eax+edi]	3_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, ebp	3_2_00422063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	3_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00407070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	3_2_0044716D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	3_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	3_2_0044711B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	3_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	3_2_0042A1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0041518E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	3_2_00448190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000004F0h]	3_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001B8h]	3_2_0041325D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00422260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00425320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	3_2_0041B330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	3_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, eax	3_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	3_2_00448390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ebx	3_2_00430399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	3_2_00444480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_004354A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	3_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000110h]	3_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	3_2_00445580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	3_2_00440580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00422673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	3_2_0044A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_004296C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_004446C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_0042268A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_004276A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	3_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	3_2_0042F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then shrd esi, edx, 00000001h	3_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00431720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	3_2_00420729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [ebp+04h]	3_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	3_2_0044A7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+24h], DEC6D8DEh	3_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3BABA5E0h	3_2_00444960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00427900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	3_2_0044A920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	3_2_0040DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	3_2_0042FAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	3_2_00404B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	3_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	3_2_00413B7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	3_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	3_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp di, 005Ch	3_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	3_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0043BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	3_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	3_2_00405C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_00422C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	3_2_00441D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	3_2_0041DD55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00414D8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0040DE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, eax	3_2_00431ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, word ptr [esi]	3_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000005A8h]	3_2_00420F8A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.6:52131 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.6:50070 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.6:55584 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.6:52783 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.6:56877 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.6:63557 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.6:62392 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.6:55427 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: fASbbWNgm1.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: fASbbWNgm1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: fASbbWNgm1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: fASbbWNgm1.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: fASbbWNgm1.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: fASbbWNgm1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: fASbbWNgm1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: fASbbWNgm1.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: fASbbWNgm1.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: fASbbWNgm1.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: fASbbWNgm1.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: fASbbWNgm1.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: fASbbWNgm1.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: fASbbWNgm1.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstu
Source: RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawzhotdog.shop/api
Source: RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/apin
Source: RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/api
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop:443/api6
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/apip
Source: RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/6
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900q
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop:443/api
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop:443/api
Source: fASbbWNgm1.exe	String found in binary or memory: https://www.entrust.net/rpa0

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49715 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00439D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00439D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0043A264 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_0043A264

System Summary

.NET source code contains very large array initializations

Source: fASbbWNgm1.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 360448

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040F242	3_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00410A14	3_2_00410A14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FEA0	3_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00434060	3_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401000	3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B010	3_2_0040B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F038	3_2_0042F038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00440118	3_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409130	3_2_00409130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00434136	3_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043F1E0	3_2_0043F1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004492C0	3_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401297	3_2_00401297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00405320	3_2_00405320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A3F0	3_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004073B0	3_2_004073B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00449410	3_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B4B0	3_2_0040B4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00449580	3_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411600	3_2_00411600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D6F0	3_2_0042D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00449690	3_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00448740	3_2_00448740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408750	3_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403710	3_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004407E0	3_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00449780	3_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041E85A	3_2_0041E85A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042887B	3_2_0042887B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00430810	3_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00439880	3_2_00439880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A940	3_2_0040A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041E900	3_2_0041E900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00449A40	3_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409AC4	3_2_00409AC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00444B60	3_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DB00	3_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00439B00	3_2_00439B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041FB39	3_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DBD5	3_2_0042DBD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00448C40	3_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00428D00	3_2_00428D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00428D1C	3_2_00428D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0044AD20	3_2_0044AD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00429DC9	3_2_00429DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407DB0	3_2_00407DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00437E70	3_2_00437E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CEC0	3_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00429EE0	3_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00410E90	3_2_00410E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BFC0	3_2_0040BFC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CB10 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041DBA0 appears 150 times

Source: fASbbWNgm1.exe

Static PE information: invalid certificate

Source: fASbbWNgm1.exe, 00000000.00000002.2148987157.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs fASbbWNgm1.exe
Source: fASbbWNgm1.exe	Binary or memory string: OriginalFilenameVQP.exeD vs fASbbWNgm1.exe

Source: fASbbWNgm1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fASbbWNgm1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/1@10/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00437110 CoCreateInstance,

3_2_00437110

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fASbbWNgm1.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03

Source: fASbbWNgm1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fASbbWNgm1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fASbbWNgm1.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\fASbbWNgm1.exe "C:\Users\user\Desktop\fASbbWNgm1.exe"
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: fASbbWNgm1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fASbbWNgm1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: fASbbWNgm1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\rje\tg\kdsmt7\obj\Release\ojc.pdb source: fASbbWNgm1.exe
Source:	Binary string: c:\rje\tg\kdsmt7\obj\Release\ojc.pdbX source: fASbbWNgm1.exe

Source: fASbbWNgm1.exe

Static PE information: section name: .text entropy: 7.995293048015843

Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Memory allocated: FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\fASbbWNgm1.exe TID: 1464	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5804	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00446BB0 LdrInitializeThunk,

3_2_00446BB0

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: fASbbWNgm1.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: fASbbWNgm1.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: fASbbWNgm1.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

Code function: 0_2_02BC2151 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02BC2151

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: fASbbWNgm1.exe, 00000000.00000002.2150166675.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: fASbbWNgm1.exe, 00000000.00000002.2150166675.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: fASbbWNgm1.exe, 00000000.00000002.2150166675.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: fASbbWNgm1.exe, 00000000.00000002.2150166675.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: fASbbWNgm1.exe, 00000000.00000002.2150166675.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: fASbbWNgm1.exe, 00000000.00000002.2150166675.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: fASbbWNgm1.exe, 00000000.00000002.2150166675.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: fASbbWNgm1.exe, 00000000.00000002.2150166675.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000	Jump to behavior
Source: C:\Users\user\Desktop\fASbbWNgm1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7FC008	Jump to behavior

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\fASbbWNgm1.exe

Queries volume information: C:\Users\user\Desktop\fASbbWNgm1.exe VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
fASbbWNgm1.exe	68%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
sergei-esenin.com	104.21.53.8	true	true	unknown
fragnantbui.shop	unknown	unknown	true	unknown
gutterydhowi.shop	unknown	unknown	true	unknown
offensivedzvju.shop	unknown	unknown	true	unknown
stogeneratmns.shop	unknown	unknown	true	unknown
reinforcenh.shop	unknown	unknown	true	unknown
drawzhotdog.shop	unknown	unknown	true	unknown
ghostreedmnu.shop	unknown	unknown	true	unknown
vozmeatillu.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
reinforcenh.shop	true		unknown
stogeneratmns.shop	true		unknown
ghostreedmnu.shop	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
fragnantbui.shop	true		unknown
gutterydhowi.shop	true		unknown
offensivedzvju.shop	true		unknown
drawzhotdog.shop	true		unknown
https://sergei-esenin.com/api	true		unknown
vozmeatillu.shop	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://drawzhotdog.shop/api	RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	fASbbWNgm1.exe	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	fASbbWNgm1.exe	false	URL Reputation: safe	unknown
https://sergei-esenin.com/	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstu	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://stogeneratmns.shop:443/api	RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com:443/apip	RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reinforcenh.shop/api	RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/ts1ca.crl0	fASbbWNgm1.exe	false	URL Reputation: safe	unknown
https://steamcommunity.com/6	RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900q	RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.entrust.net/rpa03	fASbbWNgm1.exe	false	URL Reputation: safe	unknown
https://ghostreedmnu.shop/apin	RegAsm.exe, 00000003.00000002.2175608083.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com:443/profiles/76561199724331900	RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://aia.entrust.net/ts1-chain256.cer01	fASbbWNgm1.exe	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reinforcenh.shop:443/api6	RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://vozmeatillu.shop:443/api	RegAsm.exe, 00000003.00000002.2175791952.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175918010.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/2048ca.crl0	fASbbWNgm1.exe	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	fASbbWNgm1.exe	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/badges	RegAsm.exe, 00000003.00000002.2175791952.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2175608083.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527260
Start date and time:	2024-10-06 22:09:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fASbbWNgm1.exe renamed because original name is a hash value
Original Sample Name:	ac06141a8a10f4f82e8a3959bc903b0e.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/1@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 14 Number of non-executed functions: 105
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: fASbbWNgm1.exe

Simulations

Behavior and APIs

Time	Type	Description
16:10:25	API Interceptor	3x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.8	file.exe	Get hash	malicious	LummaC	Browse
	Launch.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	172.67.206.204
	Launch.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.206.204
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	104.102.49.254
	msvcp110.dll	Get hash	malicious	LummaC	Browse	104.102.49.254
	Launch.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://revexhibition.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://revsolsavenue.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://duttweilerangel6891-sidebarg165895-flarew256.pages.dev/help/contact/656749019228815	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	http://rajdeep-006.github.io/Netflix-Clone	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	http://barik-ankita.github.io/Netflix-clone	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	http://kashishoza.github.io/Netflix-Clone	Get hash	malicious	HTMLPhisher	Browse	162.159.140.229
	http://codeeezzz.github.io/netflix-clone	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://shreyascyber.github.io/Netflix-Clone	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	http://duttweilerangel6891-sidebarg165895-flarew256.pages.dev/help/contact/581207279857749	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	http://directcoverbet.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.66.44.139
AKAMAI-ASUS	na.elf	Get hash	malicious	Mirai	Browse	104.119.246.31
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	na.elf	Get hash	malicious	Mirai	Browse	184.29.182.72
	https://store.dewaffled.ru.net/	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommynutiy.com/glft/8412	Get hash	malicious	Unknown	Browse	88.221.169.65
	http://ipfs.io/ipfs/bafybeidgkzr2gy7npe4yonk6p7s4chmwvgd2cp7bk7u6llfwiutgvt77tq	Get hash	malicious	HTMLPhisher	Browse	88.221.168.23
	na.elf	Get hash	malicious	Mirai	Browse	95.101.248.33
	na.elf	Get hash	malicious	Mirai	Browse	95.101.173.128
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	http://directcoverbet.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	wu5C20dPdy.exe	Get hash	malicious	SmokeLoader	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	https://lynwoodgrove.com/Comerica/file/prohqcker1.php	Get hash	malicious	Unknown	Browse	104.21.53.8 104.102.49.254
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, MicroClip	Browse	104.21.53.8 104.102.49.254
	msvcp110.dll	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	Launch.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254

Process:	C:\Users\user\Desktop\fASbbWNgm1.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.988154781813208
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	fASbbWNgm1.exe
File size:	380'456 bytes
MD5:	ac06141a8a10f4f82e8a3959bc903b0e
SHA1:	0b0517ee4e2c70fac223c128279efe9674c2ea5c
SHA256:	018a06629d08e98974d3e8685e93e5d3992b5690dfec9c4bb12db31d17bda187
SHA512:	35a743b59b7c8892538249222e5fcabc00691d00c0ecd329ca2201337e405f8fb750daee58b5d8b17e68ce507ea587eabd38c64d9cd0ee0ec1f12dabc1b0f298
SSDEEP:	6144:Z2x8Tqsn/Fh4ZaVjfDAwJdklMimuxVcHlgxab3TIlFtFPh2grsIqFhiwDF+BHEO:Z2x8Tqc4ZDQAYKxaHSFPh2grsP1DF+Zt
TLSH:	1F842346AAB70471CDF19FF45526A36F1A3AF4ACC47B0F0E8A445B7E63002591EA60F9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..f............................~.... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45bc7e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F6FA26 [Fri Sep 27 18:32:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5bc30	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5a800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5baf8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x59c84	0x59e00	ca9963b471a6d16f8f70f0e4116337b4	False	0.9933012430458971	data	7.995293048015843	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x5c8	0x600	112c7dedf4c69c0c9710beeff0f78d2c	False	0.4368489583333333	data	4.119926545451393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	31dc98651da62ec6f6840085cbf21e94	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5c0a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x5c3d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-06T22:10:26.717636+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.6	50070	1.1.1.1	53	UDP
2024-10-06T22:10:26.810859+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.6	55427	1.1.1.1	53	UDP
2024-10-06T22:10:26.824298+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.6	62392	1.1.1.1	53	UDP
2024-10-06T22:10:26.835603+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.6	52131	1.1.1.1	53	UDP
2024-10-06T22:10:26.847614+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.6	63557	1.1.1.1	53	UDP
2024-10-06T22:10:26.859158+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.6	52783	1.1.1.1	53	UDP
2024-10-06T22:10:26.869740+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.6	56877	1.1.1.1	53	UDP
2024-10-06T22:10:26.881547+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.6	55584	1.1.1.1	53	UDP
2024-10-06T22:10:29.274582+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49715	104.21.53.8	443	TCP
2024-10-06T22:10:29.274582+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49715	104.21.53.8	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 22:10:26.904525995 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:26.904573917 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:26.904670954 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:26.907679081 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:26.907696009 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:27.568825006 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:27.568906069 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:27.573296070 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:27.573311090 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:27.573590994 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:27.625361919 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:27.665580988 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:27.707418919 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.069484949 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.069506884 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.069514036 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.069550037 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.069557905 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.069572926 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.069602966 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.069623947 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.069623947 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.069650888 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.169194937 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.169238091 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.169280052 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.169313908 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.169332981 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.169362068 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.173263073 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.173337936 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.173346996 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.173387051 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.173393965 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.173444033 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.197542906 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.197570086 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.197603941 CEST	49713	443	192.168.2.6	104.102.49.254
Oct 6, 2024 22:10:28.197612047 CEST	443	49713	104.102.49.254	192.168.2.6
Oct 6, 2024 22:10:28.218377113 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:28.218472004 CEST	443	49715	104.21.53.8	192.168.2.6
Oct 6, 2024 22:10:28.218556881 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:28.218914032 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:28.218954086 CEST	443	49715	104.21.53.8	192.168.2.6
Oct 6, 2024 22:10:28.771599054 CEST	443	49715	104.21.53.8	192.168.2.6
Oct 6, 2024 22:10:28.771787882 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:28.773351908 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:28.773370028 CEST	443	49715	104.21.53.8	192.168.2.6
Oct 6, 2024 22:10:28.773798943 CEST	443	49715	104.21.53.8	192.168.2.6
Oct 6, 2024 22:10:28.775449991 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:28.775489092 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:28.775564909 CEST	443	49715	104.21.53.8	192.168.2.6
Oct 6, 2024 22:10:29.274595022 CEST	443	49715	104.21.53.8	192.168.2.6
Oct 6, 2024 22:10:29.274723053 CEST	443	49715	104.21.53.8	192.168.2.6
Oct 6, 2024 22:10:29.274816036 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:29.274991989 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:29.275041103 CEST	443	49715	104.21.53.8	192.168.2.6
Oct 6, 2024 22:10:29.275073051 CEST	49715	443	192.168.2.6	104.21.53.8
Oct 6, 2024 22:10:29.275090933 CEST	443	49715	104.21.53.8	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 22:10:26.717636108 CEST	50070	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:26.807391882 CEST	53	50070	1.1.1.1	192.168.2.6
Oct 6, 2024 22:10:26.810858965 CEST	55427	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:26.820015907 CEST	53	55427	1.1.1.1	192.168.2.6
Oct 6, 2024 22:10:26.824297905 CEST	62392	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:26.833456039 CEST	53	62392	1.1.1.1	192.168.2.6
Oct 6, 2024 22:10:26.835602999 CEST	52131	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:26.845310926 CEST	53	52131	1.1.1.1	192.168.2.6
Oct 6, 2024 22:10:26.847614050 CEST	63557	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:26.856919050 CEST	53	63557	1.1.1.1	192.168.2.6
Oct 6, 2024 22:10:26.859158039 CEST	52783	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:26.867564917 CEST	53	52783	1.1.1.1	192.168.2.6
Oct 6, 2024 22:10:26.869740009 CEST	56877	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:26.879406929 CEST	53	56877	1.1.1.1	192.168.2.6
Oct 6, 2024 22:10:26.881546974 CEST	55584	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:26.890909910 CEST	53	55584	1.1.1.1	192.168.2.6
Oct 6, 2024 22:10:26.893058062 CEST	62075	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:26.900326014 CEST	53	62075	1.1.1.1	192.168.2.6
Oct 6, 2024 22:10:28.205415010 CEST	61309	53	192.168.2.6	1.1.1.1
Oct 6, 2024 22:10:28.217459917 CEST	53	61309	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 22:10:26.717636108 CEST	192.168.2.6	1.1.1.1	0x8b35	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.810858965 CEST	192.168.2.6	1.1.1.1	0x479c	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.824297905 CEST	192.168.2.6	1.1.1.1	0x20dd	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.835602999 CEST	192.168.2.6	1.1.1.1	0xa0ae	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.847614050 CEST	192.168.2.6	1.1.1.1	0x462b	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.859158039 CEST	192.168.2.6	1.1.1.1	0xd557	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.869740009 CEST	192.168.2.6	1.1.1.1	0x48e8	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.881546974 CEST	192.168.2.6	1.1.1.1	0x3e1b	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.893058062 CEST	192.168.2.6	1.1.1.1	0x107e	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:28.205415010 CEST	192.168.2.6	1.1.1.1	0xd192	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 22:10:26.807391882 CEST	1.1.1.1	192.168.2.6	0x8b35	Name error (3)	ghostreedmnu.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.820015907 CEST	1.1.1.1	192.168.2.6	0x479c	Name error (3)	gutterydhowi.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.833456039 CEST	1.1.1.1	192.168.2.6	0x20dd	Name error (3)	offensivedzvju.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.845310926 CEST	1.1.1.1	192.168.2.6	0xa0ae	Name error (3)	vozmeatillu.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.856919050 CEST	1.1.1.1	192.168.2.6	0x462b	Name error (3)	drawzhotdog.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.867564917 CEST	1.1.1.1	192.168.2.6	0xd557	Name error (3)	fragnantbui.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.879406929 CEST	1.1.1.1	192.168.2.6	0x48e8	Name error (3)	stogeneratmns.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.890909910 CEST	1.1.1.1	192.168.2.6	0x3e1b	Name error (3)	reinforcenh.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:26.900326014 CEST	1.1.1.1	192.168.2.6	0x107e	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:28.217459917 CEST	1.1.1.1	192.168.2.6	0xd192	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false
Oct 6, 2024 22:10:28.217459917 CEST	1.1.1.1	192.168.2.6	0xd192	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	104.102.49.254	443	5836	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 20:10:27 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-06 20:10:28 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 06 Oct 2024 20:10:27 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=755df5bb89565935d704b6ae; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-06 20:10:28 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-06 20:10:28 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-06 20:10:28 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-06 20:10:28 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49715	104.21.53.8	443	5836	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 20:10:28 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-06 20:10:28 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-06 20:10:29 UTC	774	IN	HTTP/1.1 200 OK Date: Sun, 06 Oct 2024 20:10:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gnp1en172rd3nin4g8vbfugff8; expires=Thu, 30 Jan 2025 13:57:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s4uK2Fs86uDOJXMCOzivt%2FHvpFakwT41Ao0Z82Glizrc1ignUvHk3olmaSPvwxA1LEmyOCty3QDY8%2F71FM7V55rhXpYAXw602OO8EVNmQc6CBYZEg33AM6ae%2B7Y4WWPbwZyieQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ce84b8a3b437ca8-EWR
2024-10-06 20:10:29 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-06 20:10:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:10:24
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\fASbbWNgm1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fASbbWNgm1.exe"
Imagebase:	0x840000
File size:	380'456 bytes
MD5 hash:	AC06141A8A10F4F82E8A3959BC903B0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:10:24
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:10:25
Start date:	06/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x5b0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	29.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02BC2151 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02BC20C3,02BC20B3), ref: 02BC22C0
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02BC22D3
Wow64GetThreadContext.KERNEL32(00000318,00000000), ref: 02BC22F1
ReadProcessMemory.KERNELBASE(0000031C,?,02BC2107,00000004,00000000), ref: 02BC2315
VirtualAllocEx.KERNELBASE(0000031C,?,?,00003000,00000040), ref: 02BC2340
WriteProcessMemory.KERNELBASE(0000031C,00000000,?,?,00000000,?), ref: 02BC2398
WriteProcessMemory.KERNELBASE(0000031C,00400000,?,?,00000000,?,00000028), ref: 02BC23E3
WriteProcessMemory.KERNELBASE(0000031C,-00000008,?,00000004,00000000), ref: 02BC2421
Wow64SetThreadContext.KERNEL32(00000318,029B0000), ref: 02BC245D
ResumeThread.KERNELBASE(00000318), ref: 02BC246C

Strings

VirtualAllocEx, xrefs: 02BC2251
TerminateProcess, xrefs: 02BC234F
aryA, xrefs: 02BC2197
VirtualAlloc, xrefs: 02BC2218
SetThreadContext, xrefs: 02BC2277
ReadProcessMemory, xrefs: 02BC223E
GetThreadContext, xrefs: 02BC222B
Load, xrefs: 02BC218F
GetP, xrefs: 02BC21D3
ResumeThread, xrefs: 02BC228D
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02BC22BF
CreateProcessA, xrefs: 02BC2205
ress, xrefs: 02BC21DB
WriteProcessMemory, xrefs: 02BC2264

Memory Dump Source

Source File: 00000000.00000002.2149513531.0000000002BC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bc1000_fASbbWNgm1.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 57718f12a3f45634f5617b2c7fb8075858dff5eb127d768658b9626936a96cf1
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 04B1E57664028AAFDB60CF68CC80BDA77A5FF88714F158564EA0CAB341D774FA41CB94

Function 00FE1271 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00FE12F8

Memory Dump Source

Source File: 00000000.00000002.2149196320.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_fASbbWNgm1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e50936540d64fb660a7ce10808b06da56ca29d1d6bea0e01ba8e905f9411d692
Instruction ID: 283b97474fcb40ae427e9644cdd9af6d333d343bfe9428cd84243073dd8aaf60
Opcode Fuzzy Hash: e50936540d64fb660a7ce10808b06da56ca29d1d6bea0e01ba8e905f9411d692
Instruction Fuzzy Hash: 0921E2B58012499FDF10DFAAC981ADEBBF0FF88710F10852AE519A7250C7755915CFA1

Function 00FE1278 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00FE12F8

Memory Dump Source

Source File: 00000000.00000002.2149196320.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_fASbbWNgm1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: dff2154d773bbeb80441a3fa6763deb6a45fdced44e97ca03a6ed009179f2b21
Instruction ID: 07ee07c87ea66d9f1b8ba1cf6a12c4d3e27bde42a3082edb0e32a1247b590430
Opcode Fuzzy Hash: dff2154d773bbeb80441a3fa6763deb6a45fdced44e97ca03a6ed009179f2b21
Instruction Fuzzy Hash: 342113B1800249DFDF10DFAAC980ADEFBF4FF48310F10842AE919A7240C7756910CBA1

Analysis Process: RegAsm.exePID: 5836, Parent PID: 5132COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	55.7%
Total number of Nodes:	61
Total number of Limit Nodes:	9

Executed Functions

Function 0040FEA0 Relevance: 14.4, Strings: 11, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-{(y, xrefs: 004108AB
+w#u, xrefs: 004108A4
!, xrefs: 00410160
WU, xrefs: 004100B6
vA, xrefs: 004107EE
-g.e, xrefs: 004108C0
|/s-, xrefs: 0041085E
j?n=, xrefs: 00410842
*, xrefs: 0041017E
c;j9, xrefs: 0041083B
a#B!, xrefs: 00410849

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *$+w#u$-g.e$-{(y$a#B!$c;j9$j?n=$vA$|/s-$WU$!
API String ID: 0-1787053657
Opcode ID: c13be54020f41ce89dab5dc43ca08c7f796e33f7d12026ab39e084d4114764ea
Instruction ID: c2bb247bafdb7313821d879b64bda63368b080b473f309f5bbc30140614eceec
Opcode Fuzzy Hash: c13be54020f41ce89dab5dc43ca08c7f796e33f7d12026ab39e084d4114764ea
Instruction Fuzzy Hash: F25223B8101B44CFD3208F25D985B9BBBF1FB45304F108A2DE5AA9BA90D7B4A449CF95

Function 0040F242 Relevance: 11.9, Strings: 9, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m5o7, xrefs: 0040F4FB
h=m?, xrefs: 0040F509
}%v', xrefs: 0040F56A
o9h;, xrefs: 0040F502
}%v', xrefs: 0040F517
x)*+, xrefs: 0040F51E
a1c3, xrefs: 0040F4F4
|s, xrefs: 0040F4AE
s!s#, xrefs: 0040F510

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: a1c3$h=m?$m5o7$o9h;$s!s#$x)*+$|s$}%v'$}%v'
API String ID: 0-3183375410
Opcode ID: 024ef0da4a596ea164a11865650f69faa876bc17e72d013c950936e6cad53d2c
Instruction ID: ab31153b6aecb880430fb79f64d743cd69268ca503e92c45a0fdefa4ad8a0f35
Opcode Fuzzy Hash: 024ef0da4a596ea164a11865650f69faa876bc17e72d013c950936e6cad53d2c
Instruction Fuzzy Hash: E712CF75904254CFCB24CFA4D8906ADBBB1FF4A314F28447ED845BB792D33A984ACB58

Function 004109FD Relevance: 10.1, Strings: 8, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-{(y, xrefs: 004108AB
+w#u, xrefs: 004108A4
vA, xrefs: 004107EE
-g.e, xrefs: 004108C0
|/s-, xrefs: 0041085E
j?n=, xrefs: 00410842
c;j9, xrefs: 0041083B
a#B!, xrefs: 00410849

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +w#u$-g.e$-{(y$a#B!$c;j9$j?n=$vA$|/s-
API String ID: 0-3368389427
Opcode ID: 7cdf59660103e34530295848d8297454cd7db00b4eee7c08d484b65ddcde7457
Instruction ID: ef5da5caff501121846a183971fce4e3a24f1d29a4bd3fd26003c313b652faee
Opcode Fuzzy Hash: 7cdf59660103e34530295848d8297454cd7db00b4eee7c08d484b65ddcde7457
Instruction Fuzzy Hash: 26511DB8801B44CFD320DF65D58579BBAF1BB11300F508A0DE5AA6BB90D7B4A049CF9A

Function 00446C3F Relevance: 7.9, Strings: 6, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;tD, xrefs: 004475A0
@, xrefs: 00446CBB
4`[b, xrefs: 004470A0
bkji, xrefs: 00446F7B, 00446F53, 00446F5B
bkji, xrefs: 00447092, 00446FEF
%sgh, xrefs: 00446E10

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %sgh$4`[b$;tD$@$bkji$bkji
API String ID: 0-2268879959
Opcode ID: 94df2760f8db060c208eec00ee275b17ceaeda88ae7b023788925bbd64218746
Instruction ID: 3f5a3689fe6e23831503edc09df9701b4f8abac82631b9520675ae7212839888
Opcode Fuzzy Hash: 94df2760f8db060c208eec00ee275b17ceaeda88ae7b023788925bbd64218746
Instruction Fuzzy Hash: 87D17B7560C3419BE700DF24D890B2EBBE5EF8630AF55882DE1C58B2A2D339D855CB5B

Function 0040F940 Relevance: 5.4, Strings: 4, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,S, xrefs: 0040FAEC
hl`b, xrefs: 0040F952
(+, xrefs: 0040FC95
abv>, xrefs: 0040F983, 0040F98B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,S$abv>$hl`b$(+
API String ID: 0-1477408855
Opcode ID: 72ac0c004794a08c95aa35a317ae4500911b9d1d818d48228cf010c78f30d133
Instruction ID: 9f817a8e2a67d5e9bb77a4aa321ba27626eab226e45f4db4f393a7a4b5a1abac
Opcode Fuzzy Hash: 72ac0c004794a08c95aa35a317ae4500911b9d1d818d48228cf010c78f30d133
Instruction Fuzzy Hash: 1DD15A7050C3848BD321DF18D494A2FBBE1AF92744F14093EE4D5AB792D33AD949CB9A

Function 00446BB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044A35D,005C003F,00000006,?,?,00000018,;:54,?,?), ref: 00446BDE

Strings

;:54, xrefs: 00446BB0, 00446BCC, 00446BDA

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54
API String ID: 2994545307-2887251705
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00410A14 Relevance: .7, Instructions: 731
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b8c6c1c0ad7b8407c0d06a4eeeb17eaaf0200cd1bee2cbab323eda1072f713
Instruction ID: 1ba0488450753c04a73f7314cc371f13e839d3e33e891539d3f436e863efcac3
Opcode Fuzzy Hash: 73b8c6c1c0ad7b8407c0d06a4eeeb17eaaf0200cd1bee2cbab323eda1072f713
Instruction Fuzzy Hash: 094299B4909245DFD7018F64D880BAFBBB5FF8A305F14486DF5819B261C379D880CBAA

Function 0040ED69 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af35127cc1491bfc61b17fa5ba87654075c7ae562b45c20c3b4bab04c1f43731
Instruction ID: 9edcf4d25f74866ae39aa047a6d5692af398919683ba0a025143113fbbde7ae8
Opcode Fuzzy Hash: af35127cc1491bfc61b17fa5ba87654075c7ae562b45c20c3b4bab04c1f43731
Instruction Fuzzy Hash: 40C04C75D44218ABCB109FD4DC44BEDF7B9EB0F211F142420F518F3150D670D4408B18

Function 0040D1B0 Relevance: 6.2, APIs: 4, Instructions: 168
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040D1C1
GetCurrentThreadId.KERNEL32 ref: 0040D1D6
GetCurrentProcessId.KERNEL32 ref: 0040D1DC
ExitProcess.KERNEL32 ref: 0040D3B0

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID:
API String ID: 1029096631-0
Opcode ID: c0e1b895e2e72f73dc8955270e6ecdde58eb03a2be26a69b02c4ddbf36745924
Instruction ID: cef429908aa3f9a371f43fe30aad8a3e1bbd179f5a8d92ac8e9d07c1c392d4d2
Opcode Fuzzy Hash: c0e1b895e2e72f73dc8955270e6ecdde58eb03a2be26a69b02c4ddbf36745924
Instruction Fuzzy Hash: 4D41387490C380ABD301BFA9D544A1EFFE5AF52709F148D6DE5C4A7292C33AC8148B6B

Function 004465E0 Relevance: 1.6, APIs: 1, Instructions: 83
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00446664

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 926548098259e2fc225cf87cbf0a07f1f6e13c9ac034861a62f1b3963b3f043d
Instruction ID: 4ce622b64cc50561786442e2ebd757d5a7624bf01a3c6420f0681057dbec3c93
Opcode Fuzzy Hash: 926548098259e2fc225cf87cbf0a07f1f6e13c9ac034861a62f1b3963b3f043d
Instruction Fuzzy Hash: 1A11917150C3409BE301EF18E945A1BBBF4AFA7705F06482DE4C88B252D339D855CB9B

Function 00443DE0 Relevance: 1.5, APIs: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00443E53

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c51c400c6a17806a49d266ab07ccd44f8f0e899916b432d7c6c93a4536d318f1
Instruction ID: c100f27477890f830ed4a8073daf1caf7dd598550ae5831fd290d4e8889c83d3
Opcode Fuzzy Hash: c51c400c6a17806a49d266ab07ccd44f8f0e899916b432d7c6c93a4536d318f1
Instruction Fuzzy Hash: CAF03C34909241EBD701AF18E945A0EBBE5EF56B06F158C2DE4C49B261C239DC64CBAA

Non-executed Functions

Function 0042DB00 Relevance: 32.3, APIs: 2, Strings: 16, Instructions: 806COMMON

Download Yara Rule

Strings

"B, xrefs: 0042E515
PS, xrefs: 0042E606
A3L5, xrefs: 0042E5C6
1K&M, xrefs: 0042E5D6
4`[b, xrefs: 0042EC60
4`[b, xrefs: 0042E490
R7MI, xrefs: 0042E5CE
>C$E, xrefs: 0042E5E6
B, xrefs: 0042EBE8
)O?A, xrefs: 0042E5DE
B, xrefs: 0042E7DB, 0042EC80, 0042F00D
qB, xrefs: 0042E96B
P?[1, xrefs: 0042E633, 0042E63B
?G?Y, xrefs: 0042E5EE
f[,], xrefs: 0042E5F6
8_8Q, xrefs: 0042E5FE

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "B$)O?A$1K&M$4`[b$4`[b$8_8Q$>C$E$?G?Y$A3L5$P?[1$PS$R7MI$f[,]$qB$B$B
API String ID: 0-2207453258
Opcode ID: 4945f131cbcd63178f50a791d1600bd3529e92cfb1c3789f1156e4ce500b8d4d
Instruction ID: b527049b1f04bed8db2febbcc069cccee7980657cecff28908646a30116e1527
Opcode Fuzzy Hash: 4945f131cbcd63178f50a791d1600bd3529e92cfb1c3789f1156e4ce500b8d4d
Instruction Fuzzy Hash: 3C4210B1608305DFD314DF29E89062FBBE1FB9A305F44492DE5848B3A2E774D805CB9A

Function 00433240 Relevance: 20.3, APIs: 1, Strings: 10, Instructions: 1011COMMON

Download Yara Rule

Strings

GD, xrefs: 004332EE
2.%1, xrefs: 00433413
av%, xrefs: 0043326A
?;2, xrefs: 00433445
(\QQ, xrefs: 00433314
iJIQ, xrefs: 004339F8
NREH, xrefs: 004337E3
4_2], xrefs: 00433F8A
-6, xrefs: 004333A5
C+N), xrefs: 00433F58

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: av%$(\QQ$2.%1$4_2]$?;2$C+N)$GD$NREH$iJIQ$-6
API String ID: 0-2209209854
Opcode ID: 3dea97e05e88cb0162a67cab6b3455c4048c2d6602de325be8b757f4bce8188f
Instruction ID: 409dd95b141f07926cd205b7855d849f23a46d072771003b431955ec9f8a7ea4
Opcode Fuzzy Hash: 3dea97e05e88cb0162a67cab6b3455c4048c2d6602de325be8b757f4bce8188f
Instruction Fuzzy Hash: 41826970405B818ED7218F35C4907A3FBE0AF1B306F58695ED4EB9B282D739A605CF69

Function 0041FB39 Relevance: 17.4, Strings: 13, Instructions: 1195COMMON

Download Yara Rule

Strings

LTI, xrefs: 00420542
qo, xrefs: 0041FBDB
@A, xrefs: 00420DD6
URSP, xrefs: 004202E6
L, xrefs: 00420608
, xrefs: 0041FD80, 0041FE70, 0041FE37, 0041FD47, 0041FD56, 0041FE46
TWVQ, xrefs: 004205C6
X[ZE, xrefs: 004205E7
$'&!, xrefs: 0042059A
<E:G, xrefs: 00420DCB
yw, xrefs: 0041FBC5
A^_\, xrefs: 004202C5
Q=A?, xrefs: 00420DB5

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $'&!$<E:G$@A$A^_\$L$LTI$Q=A?$TWVQ$URSP$X[ZE$qo$yw$
API String ID: 0-2229384479
Opcode ID: 3686f5bc4b348d2d26c09967f31526b0b7d09be7330fbf0dcdca5f559d9bc543
Instruction ID: ade82052f7034141f3486747ce71b63ff0a93d90754f62eeb3371bc372faa748
Opcode Fuzzy Hash: 3686f5bc4b348d2d26c09967f31526b0b7d09be7330fbf0dcdca5f559d9bc543
Instruction Fuzzy Hash: 1EA2ACB46083809FE730CF11D881BABBBE1EFC5344F54492EE5C98B252DB799845CB5A

Function 00440118 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00440149
SysStringLen.OLEAUT32(?), ref: 004401FA
VariantClear.OLEAUT32 ref: 00440392

Strings

/.-,, xrefs: 004405E3, 004405EB
4`[b, xrefs: 004406D0
/.-,, xrefs: 00440693, 0044069B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInitString
String ID: /.-,$/.-,$4`[b
API String ID: 825681660-3655442430
Opcode ID: 74fa93fe1aa01fc7789c4b564c888145abc275ceb45d1c9a3e570741ec2b6672
Instruction ID: a146195070703f8030d25863cbf2834a15c96a942167813edb38b99b85ca9f11
Opcode Fuzzy Hash: 74fa93fe1aa01fc7789c4b564c888145abc275ceb45d1c9a3e570741ec2b6672
Instruction Fuzzy Hash: C6F1FEB2608301DFE300DF24E88172EB7E1FB89346F14492DE58197392D739E921CB5A

Function 0041E85A Relevance: 13.3, Strings: 10, Instructions: 773COMMON

Download Yara Rule

Strings

43!=, xrefs: 0041ED97
));:, xrefs: 0041ED76
4`[b, xrefs: 00421380
2+/&, xrefs: 0041ED81
>&0N, xrefs: 0041ED8C
4`[b, xrefs: 004212C0
, xrefs: 00421369, 00421327, 004212A9, 00421267, 0041E989, 0041E947, 0041E956, 00421276, 00421336
XZ, xrefs: 0041EC3C
9&=V, xrefs: 0041EDA2
4`[b, xrefs: 0041E9A0

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ));:$2+/&$43!=$4`[b$4`[b$4`[b$9&=V$>&0N$XZ$
API String ID: 0-801546609
Opcode ID: 48ab01e73fdbd6b2dce21db729467f16be9cdb8baeaf6a8ce1db0b34eeda6029
Instruction ID: 783a83c4c7002f34e80161bbf1eb2366d8f674cc96a2253d44dc20155df269f7
Opcode Fuzzy Hash: 48ab01e73fdbd6b2dce21db729467f16be9cdb8baeaf6a8ce1db0b34eeda6029
Instruction Fuzzy Hash: 7A42ABB55093809FE770CF24D891BEFBBE2AB85305F54092DE4C987352DB369891CB4A

Function 0041E900 Relevance: 13.1, Strings: 10, Instructions: 638COMMON

Download Yara Rule

Strings

43!=, xrefs: 0041ED97
));:, xrefs: 0041ED76
4`[b, xrefs: 00421380
2+/&, xrefs: 0041ED81
>&0N, xrefs: 0041ED8C
4`[b, xrefs: 004212C0
, xrefs: 00421369, 00421327, 004212A9, 00421267, 0041E989, 0041E947, 0041E956, 00421276, 00421336
XZ, xrefs: 0041EC3C
9&=V, xrefs: 0041EDA2
4`[b, xrefs: 0041E9A0

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ));:$2+/&$43!=$4`[b$4`[b$4`[b$9&=V$>&0N$XZ$
API String ID: 0-801546609
Opcode ID: cab73bcaef6991c62f1e654993cf0cfb54ad59c0c6f8896c587ea773f9eaa2d7
Instruction ID: 062afb2aaea30a15cde8f8ba60e72c14b850b42667b1157ee78ddc04b4dd17a7
Opcode Fuzzy Hash: cab73bcaef6991c62f1e654993cf0cfb54ad59c0c6f8896c587ea773f9eaa2d7
Instruction Fuzzy Hash: AA2268B45093808FE770CF25D890BEFBBE2ABC5315F54492DE4C987261DB369890CB56

Function 00401000 Relevance: 13.1, Strings: 9, Instructions: 1806COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 0040143A, 00401482
-, xrefs: 00402378
gfff, xrefs: 004023C2
gfff, xrefs: 00402429
gfff, xrefs: 00402472
A, xrefs: 0040235C
gfff, xrefs: 004023D7
@, xrefs: 00403035
0123456789ABCDEFXP, xrefs: 00401430, 00401473

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff$gfff
API String ID: 0-3313470780
Opcode ID: d03b9bd5d59a979f637d7c32a42309972cd1ad866a947f3eb9a7a269efeece6c
Instruction ID: 3f04b738466d3e8d91b581d682cb4af9ae4c9199947f3fc5e38c4488800fd8c5
Opcode Fuzzy Hash: d03b9bd5d59a979f637d7c32a42309972cd1ad866a947f3eb9a7a269efeece6c
Instruction Fuzzy Hash: C9D2F3716083418FD314CE29C89436BBBE2AFD9314F188A3EE499AB3D1D379D945CB46

Function 00410E90 Relevance: 13.0, Strings: 10, Instructions: 459COMMON

Download Yara Rule

Strings

s)+, xrefs: 00410F10
y-{, xrefs: 00410F8B
q!r#, xrefs: 00410F00
HiBk, xrefs: 00410FB7
+U?W, xrefs: 00410F18
9e5g, xrefs: 00410F96
?m0o, xrefs: 00410FAC
?a4c, xrefs: 00410FA1
z-~/, xrefs: 00410F08
iAbC, xrefs: 00410F49

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +U?W$9e5g$?a4c$?m0o$HiBk$iAbC$q!r#$s)+$z-~/$y-{
API String ID: 0-1667213943
Opcode ID: 94c7e916e61dbc1aef4b9996d49d202b70f6ccaffbb7d239b9fddca910e7af78
Instruction ID: db61fb89cbf57355de25a26b7224b8c415fa403fbe1b062cd5e3585aaa356518
Opcode Fuzzy Hash: 94c7e916e61dbc1aef4b9996d49d202b70f6ccaffbb7d239b9fddca910e7af78
Instruction Fuzzy Hash: B80253B410D380AFD3609F15D884B6FBBF5AB86744F50882DF6D88B261C7798844CF5A

Function 0042CEC0 Relevance: 12.9, Strings: 10, Instructions: 425COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042D400
cS'Q, xrefs: 0042CF57
+[&Y, xrefs: 0042CF67
$W U, xrefs: 0042CF5F
=O?M, xrefs: 0042CF8F
X+\), xrefs: 0042D101, 0042D0D4, 0042D0DD, 0042D10B
c/g-, xrefs: 0042CF4F
4`[b, xrefs: 0042D320
w1u, xrefs: 0042CF9F
/.-,, xrefs: 0042D3C4, 0042D3CD

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: w1u$$W U$+[&Y$/.-,$4`[b$4`[b$=O?M$X+\)$c/g-$cS'Q
API String ID: 0-1896435338
Opcode ID: f3b20549ed32967fa41e0b770e14c0a9f1733105eacce4aad3a787895fa9273f
Instruction ID: b05090eb9a83177901ea3704caff3b2f9a6eb8352bc78c1fc5c7ecac0665f33e
Opcode Fuzzy Hash: f3b20549ed32967fa41e0b770e14c0a9f1733105eacce4aad3a787895fa9273f
Instruction Fuzzy Hash: 7CE188B5608341DBE320DF24E881B2BBBF5FB86345F50482EF58487262D779E854CB1A

Function 00428FF0 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 460COMMON

Download Yara Rule

Strings

aq, xrefs: 00429466
~F, xrefs: 0042946E
W'Y, xrefs: 004295BB
`8, xrefs: 0042945E
qo, xrefs: 00429476
;{}, xrefs: 00429015

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ;{}$`8$aq$qo$~F$W'Y
API String ID: 0-4060129118
Opcode ID: bc58df64a225dbae0f541f826bf52a928db0aafb00a4db3f32ea25c37ab8fdb0
Instruction ID: 8b9829fc2b4919bb135ab6d18dd40f8c546e063c63e9033c8f6ca4485ea100bc
Opcode Fuzzy Hash: bc58df64a225dbae0f541f826bf52a928db0aafb00a4db3f32ea25c37ab8fdb0
Instruction Fuzzy Hash: 07023FB4208340ABD310DF55E980A2FBBF4EB96B49F40491DF4C99B252D339D905CBAB

Function 00422260 Relevance: 11.6, Strings: 9, Instructions: 387COMMON

Download Yara Rule

Strings

de, xrefs: 00422343
9E0C, xrefs: 00422303
/]([, xrefs: 00422313
r&B, xrefs: 0042266C
G5M3, xrefs: 004222E3
HI, xrefs: 00422517
\9b7, xrefs: 00422373, 0042237B
Q1:O, xrefs: 004222EB
xY9W, xrefs: 0042231B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: /]([$9E0C$G5M3$HI$Q1:O$\9b7$de$r&B$xY9W
API String ID: 0-509952333
Opcode ID: eab2989d5c1ca6d9895e3b8815c2bec9bb0e9353bd6588a293385eb12087281d
Instruction ID: b20ecfa1218eb78e5202d0c738cbeec8428151f5f79ed63716bde37511c93a69
Opcode Fuzzy Hash: eab2989d5c1ca6d9895e3b8815c2bec9bb0e9353bd6588a293385eb12087281d
Instruction Fuzzy Hash: 5EA1A970108350ABC720EF18D891B2BB7F0EF91354F94894DE8D58B3A1E779D941CB6A

Function 00430810 Relevance: 10.7, Strings: 8, Instructions: 708COMMON

Download Yara Rule

Strings

VQgi, xrefs: 00430F5F
4`[b, xrefs: 00430B50
uvw, xrefs: 00430995
`h] , xrefs: 00430F6F
4`[b, xrefs: 00430E80
SV, xrefs: 00430F87
z, xrefs: 00430BA7
m1s3, xrefs: 004309C3, 004309CB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$SV$VQgi$`h] $m1s3$z$uvw
API String ID: 0-1570870778
Opcode ID: 6940bd77cd7df20c8438f87061f6af86a247c2cf395d55d692572ee4ab0c75c3
Instruction ID: 660509b604085e1a0b105996a5aed58a7c6aa5aa991dfcfa3e2d42d2c1c515d0
Opcode Fuzzy Hash: 6940bd77cd7df20c8438f87061f6af86a247c2cf395d55d692572ee4ab0c75c3
Instruction Fuzzy Hash: 4F42DDB1508340DFD310EF25D991A2BBBE1AF8A309F144A6EF5C497352D379E904CB5A

Function 00434136 Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1039COMMON

Download Yara Rule

Strings

jXJ,, xrefs: 00434A1B
34t, xrefs: 00434D30
QYMA, xrefs: 00434173
cos`, xrefs: 00434B1D

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 34t$QYMA$cos`$jXJ,
API String ID: 0-3026627037
Opcode ID: f8b66ab7bb3bfb9fc8db50659caa218e70da8c2d83bc6d0a9692e9b00dccea9c
Instruction ID: cdedb0f16f626838ad45ab5571db02497c84d10fb9eeda8d87be13f06e05827c
Opcode Fuzzy Hash: f8b66ab7bb3bfb9fc8db50659caa218e70da8c2d83bc6d0a9692e9b00dccea9c
Instruction Fuzzy Hash: E482CB70504B808FD726CF35C4907A7BBE1AF4A304F58996ED5EA8B692CB39F505CB18

Function 00439D70 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00439D94
GetWindowLongW.USER32 ref: 00439DC3
GetClipboardData.USER32 ref: 00439DD6
CloseClipboard.USER32 ref: 00439ED9

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: bd733db51de7a274a1ea2e485793d498a05ca025b0381db77358d02ebdc330fd
Instruction ID: f8eb7662055ae418468e5478b484177f75bb97afe56f8083e02c4ac8d2d6a6c6
Opcode Fuzzy Hash: bd733db51de7a274a1ea2e485793d498a05ca025b0381db77358d02ebdc330fd
Instruction Fuzzy Hash: 7041C5749087818FD711AB7CC84A26EBFA0AF56320F048A6DE4E6873D1D2789855C7A7

Function 00434060 Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 959COMMON

Download Yara Rule

Strings

jXJ,, xrefs: 00434A1B
34t, xrefs: 00434D30
cos`, xrefs: 00434B1D

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 34t$cos`$jXJ,
API String ID: 0-1477531880
Opcode ID: e6cf050e03f680f9534f78ef4aab8308371ff0f1078a72a46c214a2f3525f9ac
Instruction ID: 8753dea9b6e7294165946d73b9d4cbff6eac4e22efe94e5982482735d7dcf57e
Opcode Fuzzy Hash: e6cf050e03f680f9534f78ef4aab8308371ff0f1078a72a46c214a2f3525f9ac
Instruction Fuzzy Hash: A872CC70504B808FD7268F35C4907E3BBE1AF5A304F58986ED5EA8B692CB39F505CB58

Function 0040DA90 Relevance: 6.5, Strings: 5, Instructions: 268COMMON

Download Yara Rule

Strings

ZS, xrefs: 0040DAF6
(_+X, xrefs: 0040DD7E
RTjb, xrefs: 0040DD6E
PPaR, xrefs: 0040DD76
WX,3, xrefs: 0040DD86

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: (_+X$PPaR$RTjb$WX,3$ZS
API String ID: 0-863934208
Opcode ID: 3ddfa35f87954236f0c23a299fca66bb3b93060c60e7a05e05d5190dfb38f789
Instruction ID: d0cf81dbf9aa542438e21b9e093ff4536dfe669ed3218448f7505fd5c5da7706
Opcode Fuzzy Hash: 3ddfa35f87954236f0c23a299fca66bb3b93060c60e7a05e05d5190dfb38f789
Instruction Fuzzy Hash: EAA166B450C3808FD3218F5995A062BFBE1AF96745F54896EE4E49B382C379C809CB57

Function 004446C0 Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

_ZTn, xrefs: 00444780
O[=F, xrefs: 00444778
0, xrefs: 00444826
S]^Z, xrefs: 00444770
, xrefs: 004448C6, 004448A3, 004448AB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 0$O[=F$S]^Z$_ZTn$
API String ID: 2994545307-2719754397
Opcode ID: 6025b61dd59e6360ea53f82e5307d2b81f0fce3acd2d188a90f594a6a7657a1a
Instruction ID: 313905893d1e1e7e0242f4a1edf30df717f4d78309ef6d6032eb1adb43791fd7
Opcode Fuzzy Hash: 6025b61dd59e6360ea53f82e5307d2b81f0fce3acd2d188a90f594a6a7657a1a
Instruction Fuzzy Hash: CC8114B8608340ABE714DF15D890B2BFBE5FB8A314F14481EF99587391C739E815CB96

Function 00401297 Relevance: 5.9, Strings: 4, Instructions: 945COMMON

Download Yara Rule

Strings

0, xrefs: 00401FF6
0, xrefs: 00402558
i, xrefs: 00402B2F
0, xrefs: 004020C8

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$0$0$i
API String ID: 0-3333316649
Opcode ID: 637fd238475128122dba43368a2f42aa51ab3c75261021d03427150179f20968
Instruction ID: 4d04497d27c0910d96a9ab3bcd52dfe1a4558eb0619c28a52a2b343303b6e5ce
Opcode Fuzzy Hash: 637fd238475128122dba43368a2f42aa51ab3c75261021d03427150179f20968
Instruction Fuzzy Hash: FC72BE716083428FD314CF28C69472BBBE2ABD5344F18893EE495A73D1D7B8D949CB86

Function 0042DBD5 Relevance: 5.5, Strings: 4, Instructions: 488COMMON

Download Yara Rule

Strings

0U, xrefs: 0042DC0A
END', xrefs: 0042DC2A
Q34, xrefs: 0042DC12
*F)", xrefs: 0042DC32

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *F)"$0U$END'$Q34
API String ID: 0-484807741
Opcode ID: 6947439ce2a770810fac87f645673a2a4aadf96364a2cd933333a5574d7d2ca1
Instruction ID: 2d9c9b5bdf371bdc614e89d4fb155c3f311055695e7c9dcb6f8b99c6ec2a4304
Opcode Fuzzy Hash: 6947439ce2a770810fac87f645673a2a4aadf96364a2cd933333a5574d7d2ca1
Instruction Fuzzy Hash: ADF10DB1A08351DFC704CF25E84062BBBE1AF9A305F58486EF4C59B352D778E905CB8A

Function 0041F552 Relevance: 5.4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041F980
nInO, xrefs: 0041F657, 0041F666
, xrefs: 0041FA29, 0041F9E7, 0041F969, 0041F927, 0041F8A9, 0041F867, 0041F876, 0041F936, 0041F9F6
4`[b, xrefs: 0041FA40

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b$4`[b$nInO$
API String ID: 2994545307-1506492284
Opcode ID: 3065231b23380dae8df6ff952a9f52a90a3da71bd92ce920fb78ec851f738950
Instruction ID: 892bb54473547f6c3f17e525adf3228a4b55f96a76f350a56702ec2478476bef
Opcode Fuzzy Hash: 3065231b23380dae8df6ff952a9f52a90a3da71bd92ce920fb78ec851f738950
Instruction Fuzzy Hash: 1FC19AB45093809BE3349F10C861BEBB7F1BF89305F54092DE5CC9B291DB79A885CB5A

Function 0043A264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A29A
GetSystemMetrics.USER32 ref: 0043A2A9

Strings

, xrefs: 0043A354

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c21be9d2694e2b68cfdc32f4eb9cabf62df2482831049d53af685cbe19498bb9
Instruction ID: 03140c3d05d663704b6b564207b4e2a79db1268aa39735f2662102cdacc9f5c2
Opcode Fuzzy Hash: c21be9d2694e2b68cfdc32f4eb9cabf62df2482831049d53af685cbe19498bb9
Instruction Fuzzy Hash: 1E3191B49143008FDB00EF69E985A5EBBF4FB89314F11892DE498DB360D774A948CB96

Function 00444B60 Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 00444BE6, 00444BC3, 00444BCB
, xrefs: 00445212, 004451E3, 00444E96, 00444F08, 00444E73, 00444DEF, 00444DC3, 00444DCB, 00444E7B, 00444F0C, 004451EB
f, xrefs: 00444D86

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: f$$
API String ID: 0-2685584965
Opcode ID: e5fe15bc993402b79ae6fd0a8e8267b10b88acd63cba0fd7997ff48647d14ee1
Instruction ID: 85f8fbffd657e1a2c41f7e50236ae4f37192d85f09d5935e236d51d05d68cbad
Opcode Fuzzy Hash: e5fe15bc993402b79ae6fd0a8e8267b10b88acd63cba0fd7997ff48647d14ee1
Instruction Fuzzy Hash: 7D12AA716083418FE715CF28C890B2BBBE6BBC9314F194A2EF49597392D739E805CB56

Function 00422C90 Relevance: 4.3, Strings: 3, Instructions: 528COMMON

Download Yara Rule

Strings

hUVS, xrefs: 00423214, 0042321D
{jhk, xrefs: 004231DF
X, xrefs: 00422EE6

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: X$hUVS${jhk
API String ID: 0-1700130621
Opcode ID: 3f4bcb633678015ddfdabc249f28c4bdf0efc2fe8b785642f4c930266efd323e
Instruction ID: 062697985ec5d3873608a8fe0e6609fabf76f2f58c76c371f68d1c8877fce24f
Opcode Fuzzy Hash: 3f4bcb633678015ddfdabc249f28c4bdf0efc2fe8b785642f4c930266efd323e
Instruction Fuzzy Hash: 4202ADB5608350ABD300DF21E981A1FBBE5AFC5708F54882EF98897242D339ED059B5B

Function 00403710 Relevance: 4.2, Strings: 3, Instructions: 439COMMON

Download Yara Rule

Strings

Inf, xrefs: 00403767
NaN, xrefs: 0040376E
|, xrefs: 004039C2

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Inf$NaN$|
API String ID: 0-2466523057
Opcode ID: 0a4d66ac5d9a30818153c283b2145e03d9f631e7b0f4f484d42089034e9cbd65
Instruction ID: 8dff6c7b172047a2ae6ef76387c72cebf5739e0883bf045c6ae33580d9919b23
Opcode Fuzzy Hash: 0a4d66ac5d9a30818153c283b2145e03d9f631e7b0f4f484d42089034e9cbd65
Instruction Fuzzy Hash: A4E1C372B143019BC704DF28C88061BBBE5EBC4755F248A3EE895E73E5E675ED018B86

Function 00408750 Relevance: 4.1, Strings: 3, Instructions: 393COMMON

Download Yara Rule

Strings

IEND, xrefs: 00408BB0
), xrefs: 004087CC
), xrefs: 004087D6

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: df4f626cf024e61cea9d74bb21ad584babb789d8ef152633e427089c5937cec4
Instruction ID: e201d24cd4307b6ffba764ff5e07ee633e22e8df84828d647ac8a2efaddb935f
Opcode Fuzzy Hash: df4f626cf024e61cea9d74bb21ad584babb789d8ef152633e427089c5937cec4
Instruction Fuzzy Hash: DEE1E0B1A087019BD310DF28D88175ABBE0BB84314F144A3EE9D9A73C1D779E915CBDA

Function 00414D8D Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

oQA, xrefs: 00415169
*, xrefs: 00414F0B
H9, xrefs: 00414D8D

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *$H9$oQA
API String ID: 0-3086764009
Opcode ID: f7f7aabd342a089234bc4a55029cea29a7f16f20146576aa267cd8d08a302688
Instruction ID: e32ca05ba96c9175d4cce646fd607f1986eb62935b15cfcc67354a17a0a27be4
Opcode Fuzzy Hash: f7f7aabd342a089234bc4a55029cea29a7f16f20146576aa267cd8d08a302688
Instruction Fuzzy Hash: EDB138B05083809BD315EB94D880BAFFBF8AF96305F14092EE5C497252E379D854CB6B

Function 00440580 Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

/.-,, xrefs: 004405E3, 004405EB
4`[b, xrefs: 004406D0
/.-,, xrefs: 00440693, 0044069B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: /.-,$/.-,$4`[b
API String ID: 0-3655442430
Opcode ID: f06a106d91e2cc7800fd747d151223e1fb3d4f498dee8cabf8de532cc40f2a63
Instruction ID: c748d1ae17558c148dad3250e2def7c23df5c0511277cb16bede94740d35a379
Opcode Fuzzy Hash: f06a106d91e2cc7800fd747d151223e1fb3d4f498dee8cabf8de532cc40f2a63
Instruction Fuzzy Hash: 0C51A1716083009BE714DF25E851B2FB7E5EF95346F01082DF2C197252D73AE921CBAA

Function 00422063 Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

-"B, xrefs: 00422227
TU, xrefs: 00422100
jABC, xrefs: 004221E3, 004221EB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -"B$TU$jABC
API String ID: 0-1472133093
Opcode ID: cb7b2110b44033b6b4bcad9678ed1a0df7346a6f9ae8281a6a8eca307ae42e4e
Instruction ID: cc864d50663ff5025ed46511f35f12994df011000135a368941414507477666c
Opcode Fuzzy Hash: cb7b2110b44033b6b4bcad9678ed1a0df7346a6f9ae8281a6a8eca307ae42e4e
Instruction Fuzzy Hash: 644198B0608354ABC700EF14E991B2BBBF1EF91740F44880DE9C58B351E3B9DA14CB5A

Function 0041325D Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

D, xrefs: 004134B6
", xrefs: 00413437
F'W9, xrefs: 004132CD

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "$D$F'W9
API String ID: 0-1820947052
Opcode ID: 797442a6e9bbd140379a47495c6fb2942faa59ad89277d1c5fcaaa84544cecf2
Instruction ID: f32d58d7e18b96630162a080e2e64c46b825db4d7c3546f9c88ca46c941da017
Opcode Fuzzy Hash: 797442a6e9bbd140379a47495c6fb2942faa59ad89277d1c5fcaaa84544cecf2
Instruction Fuzzy Hash: 0D51EBB40183809FE7608F11C5957AFBBF0BF92B08F50890DE4D85A290D7BA9548CF8A

Function 00425320 Relevance: 3.8, Strings: 3, Instructions: 99COMMON

Download Yara Rule

Strings

LO, xrefs: 00425375
KM, xrefs: 0042536D
0TB, xrefs: 0042542A

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0TB$LO$KM
API String ID: 0-2473149073
Opcode ID: d6257bed21c9ff048528a7f7718e21e47e460f5a5a5fddf4b638dc6589350f62
Instruction ID: 5af698da3240ce5cf2f13bd734f54302c2ab68d98fd4413b216b81fbb1d13a70
Opcode Fuzzy Hash: d6257bed21c9ff048528a7f7718e21e47e460f5a5a5fddf4b638dc6589350f62
Instruction Fuzzy Hash: CA21BFB45096209BC310EB18D841A2BB7F4EF92799F95590DE4C587391E378D900CBAB

Function 0044A920 Relevance: 3.8, Strings: 3, Instructions: 84COMMON

Download Yara Rule

Strings

\9X7, xrefs: 0044A923
;:54, xrefs: 0044A9B3, 0044A9BB
@, xrefs: 0044A970

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$@$\9X7
API String ID: 2994545307-443102510
Opcode ID: 6ac5ba2a3848dfd158dfdc445177851b6ea7e7ab2008ca005f77dba1e41b31d4
Instruction ID: 61df063a2357247074fa9386486a3e1957a8e93e6842f5f367d6fb2425e9dc59
Opcode Fuzzy Hash: 6ac5ba2a3848dfd158dfdc445177851b6ea7e7ab2008ca005f77dba1e41b31d4
Instruction Fuzzy Hash: DB3166B15083009BE310DF14D980A2BFBF9FF8A318F14892DE58497251E339D914CBAB

Function 00449580 Relevance: 3.2, Strings: 2, Instructions: 713COMMON

Download Yara Rule

Strings

T'&!, xrefs: 004495B3, 004495BB
0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$$T'&!
API String ID: 0-2300784948
Opcode ID: e2b057cc033b0edc3fe4232f2a3896a439a452f1bee7fab9dc5139b2cf461f2c
Instruction ID: f16a53d80bf270c7979ba3a4e2a3b4766dddc8c5520dd8645b6b3131129592cf
Opcode Fuzzy Hash: e2b057cc033b0edc3fe4232f2a3896a439a452f1bee7fab9dc5139b2cf461f2c
Instruction Fuzzy Hash: 3032893460C340CFD704DF28E990A1AB7E1FF8A31AF19886DE5858B362D335E954DB4A

Function 0042D6F0 Relevance: 2.9, Strings: 2, Instructions: 358COMMON

Download Yara Rule

Strings

tUWl, xrefs: 0042DA93, 0042DA9B
o^_b, xrefs: 0042DA50

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: o^_b$tUWl
API String ID: 2994545307-3192600724
Opcode ID: e204a0f69503bce91028cc47280996955e77d4d53eac8bb79977be26a6605346
Instruction ID: 03db81f68b829ac62a433c253204fb25f244f9a329e39115774d30c4e83b14b4
Opcode Fuzzy Hash: e204a0f69503bce91028cc47280996955e77d4d53eac8bb79977be26a6605346
Instruction Fuzzy Hash: 47A11271A083119FD710EF15E890B2BB7E1EF85314F64892EF59987351E338E840CB9A

Function 004354A6 Relevance: 2.9, Strings: 2, Instructions: 353COMMON

Download Yara Rule

Strings

[^"Y, xrefs: 004355CB
U.Da, xrefs: 004356B5

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: U.Da$[^"Y
API String ID: 0-3132506315
Opcode ID: 9b75ece036759378195a9bf4f53f2f48e10b4deee5bf70fda4db311eb22fbf02
Instruction ID: ac9ac3933775d2256496bc8287258fa8106305a43dadf0415ea25cee06398cb6
Opcode Fuzzy Hash: 9b75ece036759378195a9bf4f53f2f48e10b4deee5bf70fda4db311eb22fbf02
Instruction Fuzzy Hash: B8E16B70404F808ED7328F35C4907E3BBE1AF1A304F84995ED5EA8B692D739E505DB65

Function 0040DE20 Relevance: 2.8, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

w`}b, xrefs: 0040DFB4
opgt, xrefs: 0040DFAC

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: opgt$w`}b
API String ID: 0-2758945785
Opcode ID: 298a5cd36f6d69d185647e169501a24c557c346b6e4923422ba8e26d7c29c9b9
Instruction ID: 56c1f4487eaec788286ed6761f49cb54518eada9de256ec486ddf6324bf4e2db
Opcode Fuzzy Hash: 298a5cd36f6d69d185647e169501a24c557c346b6e4923422ba8e26d7c29c9b9
Instruction Fuzzy Hash: F0C134B05083809BD311EF56D480A2FBBE4EB96748F104D2DE1D49B392C779D918CBAB

Function 00422673 Relevance: 2.7, Strings: 2, Instructions: 245COMMON

Download Yara Rule

Strings

O1NO, xrefs: 00422816
")B, xrefs: 00422919

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ")B$O1NO
API String ID: 0-2629967336
Opcode ID: e6cf0548333ae4fcf02a1c70276e66e1be1c026a10561864c89da198f9c4aa89
Instruction ID: 357e7906652d570bd0c3cf92acab623ec5306bc9f16e6ff154a734f56acea3a8
Opcode Fuzzy Hash: e6cf0548333ae4fcf02a1c70276e66e1be1c026a10561864c89da198f9c4aa89
Instruction Fuzzy Hash: 5C6177B46083909BC300AF19E891A2BBBF0EF92755F84491DF4C49B361E379D911CB5B

Function 0042268A Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

O1NO, xrefs: 00422816
")B, xrefs: 00422919

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ")B$O1NO
API String ID: 0-2629967336
Opcode ID: 142dfccd39e8424dc339e935302cb7a54e8df3c4f5416460b5bcfe13e7502297
Instruction ID: d5ac74756f149cbb4a96c6fcf04656c1624da6386313232f50d9fcc619c8e41f
Opcode Fuzzy Hash: 142dfccd39e8424dc339e935302cb7a54e8df3c4f5416460b5bcfe13e7502297
Instruction Fuzzy Hash: 896176B46083A0ABC300AF19E891A2BBBF0EF92755F44495DF4C49B361E379D911CB5B

Function 00439880 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00439A32
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 0043994B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081$00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2222143745
Opcode ID: f068a729cb661a9bd15075f354239e4a50013d93da8a1ed15d154f4616625041
Instruction ID: 20f377fefa2c7eb00aaa400402c53f4e2b27e897c9f9d000dd49f76e59748751
Opcode Fuzzy Hash: f068a729cb661a9bd15075f354239e4a50013d93da8a1ed15d154f4616625041
Instruction Fuzzy Hash: E761F933B1D58187D718993C4C522B66A831FAB374F3D936BE4B2C73D1D5A98C029346

Function 00437E70 Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00437F5F
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00437F43

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-2492670020
Opcode ID: c14f06df38f0fb473a4aa8476d427ad33fb3adc3615abd7e4720bd95abce625e
Instruction ID: 3f95d336363f26b12fda4084b5fe5cd547504f729864173a97163ceafce5da15
Opcode Fuzzy Hash: c14f06df38f0fb473a4aa8476d427ad33fb3adc3615abd7e4720bd95abce625e
Instruction Fuzzy Hash: 3971376660D6904BD3289A3C8C5037ABA925B9B334F2D976FF4F2473E1C5298806935A

Function 004492C0 Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 4b5fb86ab7783634e8426eb6a5beccb753f17b6567c103218c73c1187726e3c9
Instruction ID: 6e0865e907425cf75320b74792bf90df407925e1fa0e5ab0e50ac8bca2d6273f
Opcode Fuzzy Hash: 4b5fb86ab7783634e8426eb6a5beccb753f17b6567c103218c73c1187726e3c9
Instruction Fuzzy Hash: C0529B75608340CFD704DF28E89061BB7E1FB8A31AF19886EE5C58B352D335E950DB5A

Function 00449410 Relevance: 2.1, Strings: 1, Instructions: 801COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 49a94e6cb11d6aa5231ce31b2a3b0ae13bf27557489387570f618a1cede55622
Instruction ID: 9c79c92c8d55ea1f9b77809b46a9c6bc11abe925a532a833b99ee4f9aaeb858c
Opcode Fuzzy Hash: 49a94e6cb11d6aa5231ce31b2a3b0ae13bf27557489387570f618a1cede55622
Instruction Fuzzy Hash: 3F427A3560C340CFD704DF28E990A1AB7E1EB8A31AF19886DE5C58B362D335E950DB5A

Function 00449690 Relevance: 1.9, Strings: 1, Instructions: 670COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 6a9e394f2ce95cb9a7996a26e795fe10874b16fb4776584fafaa184a522fdb30
Instruction ID: a78a7c277879c736897cf7ac7ecc7938aeebc78e1496ca281fcf500cbbfe4cdb
Opcode Fuzzy Hash: 6a9e394f2ce95cb9a7996a26e795fe10874b16fb4776584fafaa184a522fdb30
Instruction Fuzzy Hash: 9422893460C340CFD704EF28E890A1BB7E1EB8A31AF09886DE5C58B352D335E950DB5A

Function 00449780 Relevance: 1.9, Strings: 1, Instructions: 670COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 7135110f5d930902eccf3a44a32dc23a60941ee016691cfe26a7abae5c701e14
Instruction ID: cca9a259955e133b43c0d4e571be30f1d12aba5fe8632a6eced6d828887752d6
Opcode Fuzzy Hash: 7135110f5d930902eccf3a44a32dc23a60941ee016691cfe26a7abae5c701e14
Instruction Fuzzy Hash: 8C228774608340DFD704EF28D99062BBBE1EF8A316F09886EE5C58B352D335E950DB5A

Function 00428D1C Relevance: 1.9, Strings: 1, Instructions: 628COMMON

Download Yara Rule

Strings

, xrefs: 0042874F, 00428723, 0042872B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 573c0e96f2afe8ad1c15bdc341012e85ab549882f6636d185d739a5475ba9a17
Instruction ID: 51e696bd5ec15287983243273ec61dae75fd2fac5fc03b4f59f6828f5017c962
Opcode Fuzzy Hash: 573c0e96f2afe8ad1c15bdc341012e85ab549882f6636d185d739a5475ba9a17
Instruction Fuzzy Hash: 0922BB75619311CFD714CF28E8A072EB3E2EB89305F49897DE88697262DB34ED11CB45

Function 00428D00 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

, xrefs: 0042874F, 00428723, 0042872B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: d1d8b00e44025d60afc62db50dc92e79d5033c821c3f3d9179cbf4b21f6c9f50
Instruction ID: dc7947b7e6109e91b50e16232e030e15c55b0782f0dcd0c8b1d58dcd2f3ec650
Opcode Fuzzy Hash: d1d8b00e44025d60afc62db50dc92e79d5033c821c3f3d9179cbf4b21f6c9f50
Instruction Fuzzy Hash: D412AB75619311CFD704DF28E8A072EB3E2EB89306F49897DE88597262DB38E911CB45

Function 00405320 Relevance: 1.8, Strings: 1, Instructions: 568COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00405682

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 919116935798560f246e6156ec8e8e9cfd8da4807187642b2343c387b473d4d4
Instruction ID: 20feea22dbaa0119b6c9156ed34180d71f45265348ec538088c5f8d36220c5c6
Opcode Fuzzy Hash: 919116935798560f246e6156ec8e8e9cfd8da4807187642b2343c387b473d4d4
Instruction Fuzzy Hash: 4F12E6B2A08B418BE7148E58D480327BB92EFA1314F19857FD8896B3D1E779DC45CF4A

Function 004276A0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044DB80,00000000,00000001,0044DB70), ref: 004276C9

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 735f4f0e8ea5cc4430647eb07c1c43c3b0f65900f5abb12b3a6264a1ad4a35d4
Instruction ID: 661dc55ae77cfbde4c0051d48ed309cc2d55411694cdcf6b49fd2dde045b32f1
Opcode Fuzzy Hash: 735f4f0e8ea5cc4430647eb07c1c43c3b0f65900f5abb12b3a6264a1ad4a35d4
Instruction Fuzzy Hash: 6851FFB07083209BDB20AB24EC96B7733B4EF81358F544959F9858B390E378E801C76A

Function 00449A40 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: af47a18e417ca44032f7ecccd916510462ab16a59ee48c76b0e9b599ab7f98b5
Instruction ID: 881c954678f8796fe656ae0d28e990270fa6eae4fcec6e348efbb8980500b22d
Opcode Fuzzy Hash: af47a18e417ca44032f7ecccd916510462ab16a59ee48c76b0e9b599ab7f98b5
Instruction Fuzzy Hash: A4E1793460C340DFD704EF28E99061BBBF1EB8A316F19886DE5C68B252D339E950DB56

Function 00427900 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00427D40

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 175d8a288f5888c5a2cb581ced43757a7e2644ab78572fc4fafd738db361e8ea
Instruction ID: 6bd0c6b0c3419b93c5c7550c24bf3f6632f543d7fe83940d4e1721b018c3d69e
Opcode Fuzzy Hash: 175d8a288f5888c5a2cb581ced43757a7e2644ab78572fc4fafd738db361e8ea
Instruction Fuzzy Hash: B6C1D1B160C3109BD711AB25E841A2BB7F4EF96364F88481EF8C597351E339E940CB6A

Function 00431ED0 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

", xrefs: 004321D8

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: ff99a7c9b470f766bfbe338ba90c26ed05b46c28c8c0b3cdbf304a5dfe3f06da
Instruction ID: 42062e19262baeacce261b2f88b05e1f475a0e7cfe5b4b7249c66d792c028547
Opcode Fuzzy Hash: ff99a7c9b470f766bfbe338ba90c26ed05b46c28c8c0b3cdbf304a5dfe3f06da
Instruction Fuzzy Hash: 35D147B2A043009FD714CE25C98076BB7E5AF89310F189A2FE99587391E7BCDD49C786

Function 00448C40 Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

P, xrefs: 00448DE6

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 42475a6d9d4a1a8bfd98537bfd63c011a62fd918712275191ea96adf7ca5917d
Instruction ID: 34688efd5666104c9592188b828e154dc221ee294a09268e027c054d00bcd7fc
Opcode Fuzzy Hash: 42475a6d9d4a1a8bfd98537bfd63c011a62fd918712275191ea96adf7ca5917d
Instruction Fuzzy Hash: 9BD1F4329082644FE719CA18C45072FB6E2EBC5318F15863DE8B9AB390DB79DC06D7C6

Function 0042887B Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

, xrefs: 0042874F, 00428723, 0042872B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 63899ac525b73123fe937764e65aff5db5442e900d19f84f58249e8b59d622ee
Instruction ID: 0bc9d32587badb6e1089986d6acf427c4e4f3aa01848c782b773e6d10f2386de
Opcode Fuzzy Hash: 63899ac525b73123fe937764e65aff5db5442e900d19f84f58249e8b59d622ee
Instruction Fuzzy Hash: 58D1BEB5619301CFD704DF28E8A076AB3E1FF89306F09897DE48697262DB34E950CB45

Function 0042F700 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

0{y, xrefs: 0042F924, 0042F92D

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0{y
API String ID: 0-51807998
Opcode ID: 20fa1c9257911a36ca36470c2e7e1c22bb6fb13c29c85412142eef28ecb33bfe
Instruction ID: c4731e0e9eccddd579ce74b767209ac34a9a962a8e632d51c6645eda6d2b33b1
Opcode Fuzzy Hash: 20fa1c9257911a36ca36470c2e7e1c22bb6fb13c29c85412142eef28ecb33bfe
Instruction Fuzzy Hash: ECE124745083918AD724DF18E950B1FBBF1BB86708F90092DE9C89B391D735D909CBAB

Function 00429DC9 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

4, xrefs: 00429F53

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-350161683
Opcode ID: 92a0072889c20233ca62e92d02a93d087f6e24251b83944abd5c3ca87f7dbe86
Instruction ID: 0174e6cff714d9d3c0264d8286eeb52dca6f5f2297d9d4a0b4876d546a24463a
Opcode Fuzzy Hash: 92a0072889c20233ca62e92d02a93d087f6e24251b83944abd5c3ca87f7dbe86
Instruction Fuzzy Hash: 4DA1C9716083528BD310DF24D480A6FB7F2FF94740F988D2EE4C587261E7399959CB9A

Function 00448390 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004485B0

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: eedfc26b24bc0fe6557ceb04a84a399e725fa3b42207ef816896f37233c85be1
Instruction ID: 131acc8278a68d64eeb6898d39fc8dfeddf15283686ebe1cb7cefac48c2ffecb
Opcode Fuzzy Hash: eedfc26b24bc0fe6557ceb04a84a399e725fa3b42207ef816896f37233c85be1
Instruction Fuzzy Hash: 3CA1BF71608341ABF720DF14C850BAFBBE5EB85355F54482EF98497391EB34E940CB9A

Function 0044AD20 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

;:54, xrefs: 0044AD53, 0044AD5B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: a552d39f2bd7ef4868304ccf967d23ef7fffb579692fdef7b13429a2f9516bf0
Instruction ID: 21f2187efaab772fbbc5d5b1e6dd703fa95306b9cd8bccf6eef653216d17fc48
Opcode Fuzzy Hash: a552d39f2bd7ef4868304ccf967d23ef7fffb579692fdef7b13429a2f9516bf0
Instruction Fuzzy Hash: DE81BDB42487019BE724DF28C890A2BB3E5FF89745F14892DE4858B351E735EC24CB9B

Function 00429EE0 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

4, xrefs: 00429F53

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-350161683
Opcode ID: 198d44f7afc769c1b3122b401b871429bf2e966949c3172fdbe8aea22ff48e24
Instruction ID: e4fc10516fa2316bf4a5599780e9b805dc78d69fb17dffabfdebbfb6507c3884
Opcode Fuzzy Hash: 198d44f7afc769c1b3122b401b871429bf2e966949c3172fdbe8aea22ff48e24
Instruction Fuzzy Hash: 42A1F071608312CBC320DF28D48096BB3F2FF88741F968D2DE4C687260EB39A955DB56

Function 0040A940 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0040AA76

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 62817cb2a17c8e9643bd4b2493ff8d6ec1e3fb4a32a297e266eb5e7dd60e8b6d
Instruction ID: 12db4f90ca3269c29524b76ef3c1c0f8dbc8020f24ad9f5730d38d234bfc5a28
Opcode Fuzzy Hash: 62817cb2a17c8e9643bd4b2493ff8d6ec1e3fb4a32a297e266eb5e7dd60e8b6d
Instruction Fuzzy Hash: 37B139712083819FD321CF18C88065BFBE0AFA9704F444E2EE5D997782D635E918CBA7

Function 00421DC0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

a B, xrefs: 0042205B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: a B
API String ID: 0-3137502235
Opcode ID: 3a791a4865b2b10de04ca526748692eef6ba2820f3cd87d1b616ded78406b9dc
Instruction ID: 6791246eca1351c5328d7902d9057258b1aec060df4b542f970ff6e8af0f9a69
Opcode Fuzzy Hash: 3a791a4865b2b10de04ca526748692eef6ba2820f3cd87d1b616ded78406b9dc
Instruction Fuzzy Hash: DF5168B06083508BC714DF14D581A2BB7F0FFA6358F448A0EE8D59B3A1E339D944CB9A

Function 00445580 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

, xrefs: 004455D6, 0044575F, 00445733, 004455B3, 004455BB, 0044573B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 7a42694725f0e8f604c61eb579e0ffb5b06b52798249ef1ea9602468f7b0b423
Instruction ID: 99bd972ddb00d8c0accb3e56e9343d025c11d7df58ce895e5b891d06f5205592
Opcode Fuzzy Hash: 7a42694725f0e8f604c61eb579e0ffb5b06b52798249ef1ea9602468f7b0b423
Instruction Fuzzy Hash: 0D61E2356087019BFB10DF24C880B3BBBE6EB85314F55892EE48987362D639EC11CB1A

Function 00448190 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00448350

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 96d8d896c6325d1ecc715d8eec931c372c915e865b1d35b4a9b399d7417457fe
Instruction ID: f2be005d942e4e2615dd207fd9a3b45408ac578641062338537af6c7fa4a3d29
Opcode Fuzzy Hash: 96d8d896c6325d1ecc715d8eec931c372c915e865b1d35b4a9b399d7417457fe
Instruction Fuzzy Hash: 7A5125316087049BE7149F19C890B2FB7E5FF85715F188A2DE8D957391CA3AEC01C79A

Function 00444480 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 004445D6, 004445B3, 00444556, 00444533, 0044453B, 004445BB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: c3984b0afdbe81277c892565e6284a68daa2c00bdff0285ab262ff4f6266c121
Instruction ID: ae879fc850b573c7fcc27bce8fc0229c99342f9cf9ea990149d60e095a57cdc4
Opcode Fuzzy Hash: c3984b0afdbe81277c892565e6284a68daa2c00bdff0285ab262ff4f6266c121
Instruction Fuzzy Hash: 9241B035608240ABEB24DF14D980B2BBBE6EFC6705F19482EE5C587311D739EC51CB2A

Function 0044A610 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

;:54, xrefs: 0044A644, 0044A64D

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: 5631d567d11453a6109dcff4ad7cc3bee237fea7f6fd986a06632eafa227ce3b
Instruction ID: 882643b4eb6ca10f8686816ed560115293d3e2a899ffd47342a0d4b0e7199bb1
Opcode Fuzzy Hash: 5631d567d11453a6109dcff4ad7cc3bee237fea7f6fd986a06632eafa227ce3b
Instruction Fuzzy Hash: 14418074248300ABE7249F15D990B2FB7B6EB85715F18882EF5C587252D339EC21CB6B

Function 00444960 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 00444A76, 00444A53, 00444A5B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 14c545dee9ca3b9773ca046853ccc447e70483d1340eecc98b931c74cbf1d43a
Instruction ID: 274f3e1b3b6f42031ba6c240eb81a6913b2c0584eb231ee528a0b8831dbf2603
Opcode Fuzzy Hash: 14c545dee9ca3b9773ca046853ccc447e70483d1340eecc98b931c74cbf1d43a
Instruction Fuzzy Hash: 5341D275604204ABEB20DF64EC41B6BBBA5EFC5705F04482EE88593351D339DC10EB6A

Function 0044A7A0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

;:54, xrefs: 0044A7D4, 0044A7DD

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: 031c22b133dd9dba0ebc7900e4cb744e3d4209b3f1ea91417fb3c36fded8ae43
Instruction ID: 78e3c2dc7897cdc557890b703a0409e606c332cfa71594da55bc866c29a599f7
Opcode Fuzzy Hash: 031c22b133dd9dba0ebc7900e4cb744e3d4209b3f1ea91417fb3c36fded8ae43
Instruction Fuzzy Hash: FE419D74648300ABE714AF14D890B2FB7F6EB85715F24882EF58997291C339E821CB5B

Function 00420729 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

, xrefs: 004207BD, 00420777, 00420786

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 32387dd3542a485ec372521255e0c86dbce74193274f2aceababfaa4507e62a6
Instruction ID: 0e37ae3c7cdb39b94d4783fab9bf39235a70f96b3866e444776f1420009e3a49
Opcode Fuzzy Hash: 32387dd3542a485ec372521255e0c86dbce74193274f2aceababfaa4507e62a6
Instruction Fuzzy Hash: 7E218E356093419FD770CF10E890AABB3A3EBC5302F954A6DE08897252DB35F891CF86

Function 0042A1F0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042A250

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 71637f2b961aae30c1abcf79f9556ccac77976f21aa7df97791045416a8145e8
Instruction ID: 900762551a009ee9e5bc5032e1dc8f56701680aef49dcc048cf94ae26ce606f7
Opcode Fuzzy Hash: 71637f2b961aae30c1abcf79f9556ccac77976f21aa7df97791045416a8145e8
Instruction Fuzzy Hash: 7F116731618352CFD704DF60E89092BB7B2FB86302F844C6CE89193252C336E956CB2A

Function 00430399 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00430400

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 36c81f32d7e8e98c2885f55244e5b12d3ca4cf1e43c1a724e488aea8086b4d45
Instruction ID: 0fede4bbd285df6194be11d0089554e364ca0ed6f48cce0ee28e8a9528bdc190
Opcode Fuzzy Hash: 36c81f32d7e8e98c2885f55244e5b12d3ca4cf1e43c1a724e488aea8086b4d45
Instruction Fuzzy Hash: 5A115A726083429BD704DF15E9A042BF7F6EB9A706F54692EE580E3212D335EC508B6A

Function 0040BFC0 Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15165873a2b71e9ad4aef63ef2515f51c890ce2bec2ceb65bd7d5d63dac0f0cb
Instruction ID: 8ca5f52accdc9143aef8896f108a10c71876bcd751686983a5eb443fd30660e4
Opcode Fuzzy Hash: 15165873a2b71e9ad4aef63ef2515f51c890ce2bec2ceb65bd7d5d63dac0f0cb
Instruction Fuzzy Hash: 7E529F31518311CBC725DF18D48026BB3E2FFD4314F298A3ED996A7385D739A856CB8A

Function 0040B4B0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be52c68402c1a256dc0bff41ed4c6e5da89aba4ddac84e3b8cee7d09d710cb91
Instruction ID: 2a543fe0290e35dd774d49a35ab7b808e05b95325d1f41aa21e6dfa613f40ce0
Opcode Fuzzy Hash: be52c68402c1a256dc0bff41ed4c6e5da89aba4ddac84e3b8cee7d09d710cb91
Instruction Fuzzy Hash: 995280B09087888FE7358B24C4847A7BBE1EB91314F14493EC5D656BC2C37DA989879E

Function 004073B0 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aebd196cfce2ece89693e8a3af266d99451e3254239792bf7d557356db20812
Instruction ID: 1299278142d69064fa20501cc2947707d5ea86ed0659b469aa11ec982258ee42
Opcode Fuzzy Hash: 9aebd196cfce2ece89693e8a3af266d99451e3254239792bf7d557356db20812
Instruction Fuzzy Hash: 7052D37190C3458FCB15CF28C0806AABBE1BF85314F198A7EE89967381D778F945CB86

Function 00407DB0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc72286782c76dc1b518893e36444785179378f8b2301ee3f0add1592b3c476
Instruction ID: 61efba15a6eb25ad1034543c33e3361113fa73d3afab78e42815a8d0d2a0988b
Opcode Fuzzy Hash: 6cc72286782c76dc1b518893e36444785179378f8b2301ee3f0add1592b3c476
Instruction Fuzzy Hash: 92320370915B118FC328CF29C69052ABBF1BF85710B604A2ED6D797F90DB3AB845CB19

Function 0040A3F0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdc42eeb92d643ba025e61c60c6b6b2c152b78bc3bcec359127e9f0bc94d57e
Instruction ID: 58a25341c55a3b80564a6f3fd460fa8bad488cfbb2019d67dcfb717cc5f8fa03
Opcode Fuzzy Hash: 3cdc42eeb92d643ba025e61c60c6b6b2c152b78bc3bcec359127e9f0bc94d57e
Instruction Fuzzy Hash: 68F1E0366083418FC724DF29C88176BFBE2AFD9304F08892EE4C587791E679E855CB56

Function 00409AC4 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b084b93d18f5122eb4f37eec6fbd4d37e16d81bb93f817f437e21aadb76732
Instruction ID: 31cd3b0a7633fb710b89429b2bc56ded61296508807ad5e1714f2512d5ae2172
Opcode Fuzzy Hash: b7b084b93d18f5122eb4f37eec6fbd4d37e16d81bb93f817f437e21aadb76732
Instruction Fuzzy Hash: 2A02233520D380EFC714CF28D854A5FBBE1AF9A304F48886DF986873A2C675D958CB56

Function 00409130 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b04d311740c3a693510d137259d1953bdeb9af0456c45c6f26f121977fee93
Instruction ID: b2bb1137b2c262fe44042a2509ebdf908a7067687372834c765dcb93f4ac5d47
Opcode Fuzzy Hash: 79b04d311740c3a693510d137259d1953bdeb9af0456c45c6f26f121977fee93
Instruction Fuzzy Hash: 6CD16579618201CFD308CF28D85076AB7E1BF89319F09897DE88A87391D779DA49CF85

Function 00448740 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38d465297857997a66cbd81480a98a747353c671aa88e59efa72fd24129981d
Instruction ID: 95ae740343870db962639aac20e96c13ca122ca98226fcd363cc888841663938
Opcode Fuzzy Hash: a38d465297857997a66cbd81480a98a747353c671aa88e59efa72fd24129981d
Instruction Fuzzy Hash: 9FB1C4B2A043408BF714EB29DC5176FB7E5EBC5318F08492EE985D7381EA38EC05875A

Function 0042F038 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777be3b012202c20f2d24fc21d88a83219a840c3de9a95746034cd2ee5c9bcba
Instruction ID: 3e124b1ee1e2fbb94c0108bd99818db20fcb92b5a624684b48bb233c73bebb9e
Opcode Fuzzy Hash: 777be3b012202c20f2d24fc21d88a83219a840c3de9a95746034cd2ee5c9bcba
Instruction Fuzzy Hash: B2B16931A08391CFE324CF38AC9035AB7E2AF96311F59867EE9E1472A2D774DC048B45

Function 0040B010 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0c86732349e253abbbf0d9b9b08fb7b6e8d0a6d37f13b63e92bce75656d0ff
Instruction ID: 2bf9ac9d92d49db1f35f54c551e4b1d3b2bfac4e841633df1b0f5e6c6eea4945
Opcode Fuzzy Hash: bb0c86732349e253abbbf0d9b9b08fb7b6e8d0a6d37f13b63e92bce75656d0ff
Instruction Fuzzy Hash: E2C169B29187418FC320CF68C886BABB7E0EF85318F08492DD5D9D6342D778A555CB8A

Function 00439B00 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696d2aa435a88c5cb9f62c8bb66cf98639590cd84ba3f79e2120987dea59b3f6
Instruction ID: 03c335b696acbfa1222c85735cd042e192cda2d6d7cb1635e12136a9917dd72d
Opcode Fuzzy Hash: 696d2aa435a88c5cb9f62c8bb66cf98639590cd84ba3f79e2120987dea59b3f6
Instruction Fuzzy Hash: 88616933A0959047C7145E3C5C522B9AA571BDB334F3EA36BD8B15B3D1D5AE4C02839A

Function 0043F1E0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31eb65ba5d94ac51842e776ac950774c660abfcd452dc49c942fc67d509d6191
Instruction ID: d89d67e6857123330a75621b11ed0d4d2d8cbfec3bcc0f746fb68ba78aa451ae
Opcode Fuzzy Hash: 31eb65ba5d94ac51842e776ac950774c660abfcd452dc49c942fc67d509d6191
Instruction Fuzzy Hash: 9D515DB19087548FE314DF69D49435BBBE1BBC9318F144A2EE4E987390E379D6088B86

Function 004407E0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44507f9f604c2c1d37b6d5e06ed740d9bbacf44789427aedc9e6beee1ee453db
Instruction ID: 1f599e4a3158c74960d010f2bc0623c05adc229359004241147c85c12db3a7a7
Opcode Fuzzy Hash: 44507f9f604c2c1d37b6d5e06ed740d9bbacf44789427aedc9e6beee1ee453db
Instruction Fuzzy Hash: B151677160C7944FE724DA28C4906BBF7E2EBCA304F05891EE5D68B386D239ED11C786

Function 0041DD55 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3392f45c507c747f5b1d8c00030def1c78b4c31358d16bacb3bc8ef3b41f33c
Instruction ID: c3eb6362ce0c75d13d700f485dc85ea6da2151878511bd4321f44dde0745d3df
Opcode Fuzzy Hash: d3392f45c507c747f5b1d8c00030def1c78b4c31358d16bacb3bc8ef3b41f33c
Instruction Fuzzy Hash: 4241FFB0D007118BDB24DF18D892BB773B1EF66365F098209E8469B3D1F738A580C3A9

Function 0042FAA0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f59a72204999f12b57d7a6d56c558054d4f9ffdf3d7360ab34c8f025ffc8da
Instruction ID: 834d04fe016ef7ba85265e29078afe447fec19cf065d57abbf3f5259a11ec16b
Opcode Fuzzy Hash: 87f59a72204999f12b57d7a6d56c558054d4f9ffdf3d7360ab34c8f025ffc8da
Instruction Fuzzy Hash: 9C51A975A083418BD7209F14E81076BB7F0BF86344F94482EE9C897391EB399959CB9B

Function 00405C20 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129904f85c307e3588cd884dafb5844055e48e4276fee2c0a2a473afeaa7381d
Instruction ID: 800948cd5643afb1633654617254b82d61c8276f70e6524d9fc1444306718457
Opcode Fuzzy Hash: 129904f85c307e3588cd884dafb5844055e48e4276fee2c0a2a473afeaa7381d
Instruction Fuzzy Hash: 8A51BFB5A087009FD7149F14C480927B7A1FF85324F19467EE899AB392D634ED82CFDA

Function 004296C0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219e0ba5dac7627202dd42f0dd9fdee3cf7fd7e203a04a3204457abd9438207f
Instruction ID: 0925ad793c1136a2802a404586ed31f0ee07a2f5848fa9ad6f03dcbcf2e6d2b7
Opcode Fuzzy Hash: 219e0ba5dac7627202dd42f0dd9fdee3cf7fd7e203a04a3204457abd9438207f
Instruction Fuzzy Hash: 1A511FB451C384AFD200EF15E980A1EBBF8AB96748F848A0DF0D55B251D379D904CFA7

Function 0041518E Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c702810b4918d153a208cc470cd7352f5762b9d1db81313dbb29e59251792305
Instruction ID: 52a620e33f2925f96ab70c1619b5e5c7130e5b592a62fa1a6b5a43710b3232e2
Opcode Fuzzy Hash: c702810b4918d153a208cc470cd7352f5762b9d1db81313dbb29e59251792305
Instruction Fuzzy Hash: F53168B4508341DFD300EF21E855B5FB7F8EF86305F04482EF98186292E339D4098B2A

Function 00411600 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c1cacea7c292397c36a41f47572ec33d5cdbddb8ff198c048a63802585a0d1
Instruction ID: bfe5cd5187ccc1ec628e516f862eecb2a9a4cff56f39fb33956bd3dde7b4fba7
Opcode Fuzzy Hash: 21c1cacea7c292397c36a41f47572ec33d5cdbddb8ff198c048a63802585a0d1
Instruction Fuzzy Hash: 87411472B0C3604FD318CE3A889016ABBD2ABC5210F19C73EF1A6877E4E679C945D755

Function 00437110 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa595f52097eddb0803ef205c00d6601ffbae381ba9b3012eee6b7bf647ea68
Instruction ID: df6959280d82a99e39c9dc27484d38c5c608e5d3ee414f297b97f8b4e65d43c1
Opcode Fuzzy Hash: 9aa595f52097eddb0803ef205c00d6601ffbae381ba9b3012eee6b7bf647ea68
Instruction Fuzzy Hash: AE41E6B0905B00AFD360EF3DC946783BEE4EB09314F144A5DE8AACB381D375A515CB96

Function 00404B60 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608b37dfba14305b93db33815757c93df7d2eb92e9354bda027161d552915dbc
Instruction ID: b276c89fb37e417b112e9a1432116ee7dab3cda9556e7031b28351ec34740547
Opcode Fuzzy Hash: 608b37dfba14305b93db33815757c93df7d2eb92e9354bda027161d552915dbc
Instruction Fuzzy Hash: A531D7756182009BD7109E19D8C0B27B7F1EFC4318F14497EE999AB381D239ED42CB8A

Function 0043BBB0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f3d13c4f77b678f3f5ad4c70681dfe8afdb1ce760f55218f4420d384e65a605f
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 89112C336082D80EC3218D3C8440665BF934A97234F59539EF4B89B2D6DB2ACD8B8399

Function 00431720 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689434a6e26603a0695f01cf84fccc129b07ef7bb0e5c58eae2955e3fe6ef262
Instruction ID: 809c4b8c5f4d90910c120ffc8bea963b43a288cc7962883a6e400ac8cb8d82d8
Opcode Fuzzy Hash: 689434a6e26603a0695f01cf84fccc129b07ef7bb0e5c58eae2955e3fe6ef262
Instruction Fuzzy Hash: 8201B1F570030187E720AF11E4C272BB2B8AF88748F0C153EE80957346DB79EC0586A9

Function 0044716D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d12d1adf075babf471c10f2bc2ad8607f47991889b014188b00980cf6b31f3
Instruction ID: 228517455a837c86bd3de3dc643e4236668c8363ac2aa5d5ed890d384a3c7814
Opcode Fuzzy Hash: b5d12d1adf075babf471c10f2bc2ad8607f47991889b014188b00980cf6b31f3
Instruction Fuzzy Hash: 9E11AF7550C3408BE200DF64D69091EBBF6ABAAA45F200C2DF68187712C33ADC46CB9A

Function 00420F8A Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d617ffe7d5c95ea20ab83b84e9b735c0169c4a1dce0e854e5ea2c9dadd475d
Instruction ID: e0267410d78486dba0c77835f341638f85eeac581fc42256d1c37bbad7741185
Opcode Fuzzy Hash: 87d617ffe7d5c95ea20ab83b84e9b735c0169c4a1dce0e854e5ea2c9dadd475d
Instruction Fuzzy Hash: 5B21F475A083909FD771CF549840BEFBBF1AB8A305F850A2DE8D957251CB329981CB86

Function 00407070 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1fb4f72ceadc0dfbd97c0dbf4fc3d104c1246a9a268a6091118f86cb1cae9b
Instruction ID: 0881e27a7d94786878d36033187f5f8f48ccf74c1cb2524e580698b1175071d2
Opcode Fuzzy Hash: 8b1fb4f72ceadc0dfbd97c0dbf4fc3d104c1246a9a268a6091118f86cb1cae9b
Instruction Fuzzy Hash: A0F0F63BB6931A07D710CD79ECC0A67B396D7C5245B1D413DE940D3341D47AFC0992A9

Function 00413B7C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4d8a037c957590e93bdc69d912da8838a2c4143d311182997f493f8a113886
Instruction ID: 3824444f2fea6a38aa224781555283573b27659997e86fc043f4af1527c16adb
Opcode Fuzzy Hash: 0b4d8a037c957590e93bdc69d912da8838a2c4143d311182997f493f8a113886
Instruction Fuzzy Hash: E7F0697090C3808BD305EB95D855E2EFBF8EF96305F44086DE1C097252E379EA188B6B

Function 0041B330 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52042383ae9116ef5cef2de8b578cd95b58dcf8ae2945c0acd97e50c34331e2f
Instruction ID: b90808f0e45e1e089d553ff27c91ba6f2e0ad3c2caebfdd83e04d91715e99d22
Opcode Fuzzy Hash: 52042383ae9116ef5cef2de8b578cd95b58dcf8ae2945c0acd97e50c34331e2f
Instruction Fuzzy Hash: 2AF0ECB160415497DB2289559CC0FB7FB9CCB8B354F190416EC9557202D2655894C3E9

Function 0044711B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae4b3d176fe3d9e6cfb88a54c04a35cb48f5a0a8002072fee7359236cb8bd63
Instruction ID: 47a14b461e903dbeb014341540f750bbb98732ec7d8519a36154f73ef99dc437
Opcode Fuzzy Hash: eae4b3d176fe3d9e6cfb88a54c04a35cb48f5a0a8002072fee7359236cb8bd63
Instruction Fuzzy Hash: 14F0927491C3408BE204DF64D69091EFBF2AB9BA05F500C6DF68593312C326DC45CB9A

Function 00441D40 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: ede5682b8c28294e075f40f1dacc9e23737c0304b007f35a3b59bcb766d625e6
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 5FD0A7B1A0832146AB748E19E400977F7F0EAC7B11F49955FF586E3268D334EC81C2AD

Function 00436D22 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00436D2B
VariantInit.OLEAUT32 ref: 00436D37

Strings

3, xrefs: 00436D5B
?, xrefs: 00436D6B
>, xrefs: 00436D97
!, xrefs: 00436D9F
0, xrefs: 00436D7F
!, xrefs: 00436D8F
;, xrefs: 00436D7B
1, xrefs: 00436D53
9, xrefs: 00436D73
=, xrefs: 00436D63

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$!$0$1$3$9$;$=$>$?
API String ID: 2610073882-4017061420
Opcode ID: cda46e692248261d225455bfbd383da656a6067b642fcb8ee50a9e8c432748ed
Instruction ID: dce76f18d0c2847a660f32665c65f5c980a7f4d88856c9310731f7cf479fe7be
Opcode Fuzzy Hash: cda46e692248261d225455bfbd383da656a6067b642fcb8ee50a9e8c432748ed
Instruction Fuzzy Hash: 754106701087818FD722DF3C9588606BFA0AB16314F488A9DD8E64F7D6C774E605C762

Function 00435F1B Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 78COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00435F27
VariantInit.OLEAUT32 ref: 00435F33

Strings

;, xrefs: 00435F77
?, xrefs: 00435F67
9, xrefs: 00435F6F
3, xrefs: 00435F57
1, xrefs: 00435F4F
=, xrefs: 00435F5F
!, xrefs: 00435F8B
>, xrefs: 00435F93
0, xrefs: 00435F7B
!, xrefs: 00435F9B

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$!$0$1$3$9$;$=$>$?
API String ID: 2610073882-4017061420
Opcode ID: 348c8edf02b1c46880617a20ea4cde773ba569d30a26ddf398e4fd9ad9377b71
Instruction ID: bd7fa2d9b3d987461a1fb8d7b0d277e8894d75febd5d938405cb1f81150e01dc
Opcode Fuzzy Hash: 348c8edf02b1c46880617a20ea4cde773ba569d30a26ddf398e4fd9ad9377b71
Instruction Fuzzy Hash: C841E930109780CED726CF6C9584706BFE06B16324F488A8EE8E54F7D7C765D606CB62

Function 004372B3 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004372BC
VariantInit.OLEAUT32 ref: 004372C8

Strings

3, xrefs: 004372FE
*, xrefs: 0043732E
-, xrefs: 00437316
2, xrefs: 0043730E
~, xrefs: 0043734E

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: *$-$2$3$~
API String ID: 2610073882-712268440
Opcode ID: 181e109783da7289cc71976f8fc4f3b3bc7cd2bc1eac37b6c41ad2700ea7520d
Instruction ID: 60cbd62482cf228be9b6e719d21a7a82e449c946974cc26fe90643ebd4c431bc
Opcode Fuzzy Hash: 181e109783da7289cc71976f8fc4f3b3bc7cd2bc1eac37b6c41ad2700ea7520d
Instruction Fuzzy Hash: 8F410770108B81CED721DF3C8588706BFE0AB26214F088A8DD8E98F397C775D515DB66

Function 00412763 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 300COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(910F9FD9,00000104), ref: 00412BB0

Strings

GD, xrefs: 00412770
s{, xrefs: 004129A7
F?>1, xrefs: 00412A36
7, xrefs: 00412838
XY, xrefs: 00412AD8

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: DirectorySystem
String ID: 7$F?>1$GD$XY$s{
API String ID: 2188284642-1708563726
Opcode ID: fc0f454941e73d89c8600b02f15ed39ee35adba4237271d2f7a6d66bb47eb516
Instruction ID: 62ad8892d7640dbba1527e93f85876fe2800d594e9350e4a7a6b89632e521fd2
Opcode Fuzzy Hash: fc0f454941e73d89c8600b02f15ed39ee35adba4237271d2f7a6d66bb47eb516
Instruction Fuzzy Hash: 1CB18AB400C3808ED7708F24C494BEFBBE5AB9A308F14496EE8D89B252D7758589CF57

Function 0043FF7B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043FFCB
SysAllocString.OLEAUT32 ref: 00440087

Strings

=>?, xrefs: 0043FF83
<;, xrefs: 00440033
13, xrefs: 0043FFA3, 0043FFAB

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: <;$13$=>?
API String ID: 2525500382-233072664
Opcode ID: eadfb38759a15d6bf80d1e0cf7a58bb9c6127851ff1dfacb242367057db8f5d2
Instruction ID: aef27eaaddc37be085e33d94480df1b121f3fdb86c47149d4cfce4d70e5ec3ca
Opcode Fuzzy Hash: eadfb38759a15d6bf80d1e0cf7a58bb9c6127851ff1dfacb242367057db8f5d2
Instruction Fuzzy Hash: 3A310CB410E380AFD310AF59E984A1FBBF5EB96705F90191EF5C18A212C37A8815CB67

Function 00435296 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00435394
FreeLibrary.KERNEL32(?), ref: 00435494

Strings

#v, xrefs: 00435394, 00435494

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: 2ee30ce198429f2b261720e978774b144f59fa7d6bba2f124f19d53244588817
Instruction ID: d1eb672ef71c5625a8b09c305371944eacc5032cbe31c346a6b42b4affc249ab
Opcode Fuzzy Hash: 2ee30ce198429f2b261720e978774b144f59fa7d6bba2f124f19d53244588817
Instruction Fuzzy Hash: 5F515370005F808FD7268B358850BA3BBE19F1B306F48599ED4FB8B252D779A508CF18

Function 0043A888 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A8D6
GetSystemMetrics.USER32 ref: 0043A8E5

Strings

, xrefs: 0043A9B9

Memory Dump Source

Source File: 00000003.00000002.2175346950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 65cae8f6cdf4aa0ee36dce3bf563fb2e0777f3d215215006cc2803287500b777
Instruction ID: aff40aa290a2da8482ed65553a9083856d3f095cad100f3f2e2c159a29b72631
Opcode Fuzzy Hash: 65cae8f6cdf4aa0ee36dce3bf563fb2e0777f3d215215006cc2803287500b777
Instruction Fuzzy Hash: 2B519EB4E142089FDB40EFADE981A9DBBF0BB48310F118569E898E7350D734AD45CF96

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fASbbWNgm1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fASbbWNgm1.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
fASbbWNgm1.exe

Function 02BC2151 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 00FE1271 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 00FE1278 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 0040FEA0 Relevance: 14.4, Strings: 11, Instructions: 633
COMMON

Function 0040F242 Relevance: 11.9, Strings: 9, Instructions: 615
COMMON

Function 004109FD Relevance: 10.1, Strings: 8, Instructions: 109
COMMON

Function 00446C3F Relevance: 7.9, Strings: 6, Instructions: 387
COMMON

Function 0040F940 Relevance: 5.4, Strings: 4, Instructions: 384
COMMON

Function 00446BB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Function 00410A14 Relevance: .7, Instructions: 731
COMMON

Function 0040ED69 Relevance: .0, Instructions: 12
COMMON

Function 0040D1B0 Relevance: 6.2, APIs: 4, Instructions: 168
threadCOMMON

Function 004465E0 Relevance: 1.6, APIs: 1, Instructions: 83
memoryCOMMON

Function 00443DE0 Relevance: 1.5, APIs: 1, Instructions: 45
memoryCOMMON