Edit tour

Windows Analysis Report
SoftWare(2).exe

Overview

General Information

Sample name:	SoftWare(2).exe
Analysis ID:	1532890
MD5:	7b0d68253d0ee4679ec73a41ca863991
SHA1:	6a8d7527f2299d700091d8dbfafc187162416e3c
SHA256:	c6758c468acae7447f8f9b1a15039a30f4d4a18a15fede5fd8265fba9056be8e
Tags:	exeuser-4k95m
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SoftWare(2).exe (PID: 6096 cmdline: "C:\Users\user\Desktop\SoftWare(2).exe" MD5: 7B0D68253D0EE4679EC73A41CA863991)

SoftWare(2).exe (PID: 1708 cmdline: "C:\Users\user\Desktop\SoftWare(2).exe" MD5: 7B0D68253D0EE4679EC73A41CA863991)

WerFault.exe (PID: 7136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1712 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 308 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["drawwyobstacw.sbs", "mathcucom.sbs", "resinedyw.sbs", "enlargkiw.sbs", "ehticsprocw.sbs", "bleedminejw.buzz", "condifendteu.sbs", "vennurviot.sbs", "allocatinow.sbs"], "Build id": "LPnhqo--uoaywzyrlsoc"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.SoftWare(2).exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.SoftWare(2).exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.SoftWare(2).exe.770000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:59.507065+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49707	188.114.97.3	443	TCP
2024-10-14T05:02:00.461098+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49708	172.67.152.13	443	TCP
2024-10-14T05:02:01.532316+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49710	104.21.77.78	443	TCP
2024-10-14T05:02:02.598655+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49713	172.67.140.193	443	TCP
2024-10-14T05:02:03.527443+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49716	104.21.30.221	443	TCP
2024-10-14T05:02:04.502673+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49718	172.67.141.136	443	TCP
2024-10-14T05:02:05.564571+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49719	188.114.97.3	443	TCP
2024-10-14T05:02:07.749283+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49721	172.67.206.204	443	TCP
2024-10-14T05:02:09.109074+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49722	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:59.507065+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49707	188.114.97.3	443	TCP
2024-10-14T05:02:00.461098+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49708	172.67.152.13	443	TCP
2024-10-14T05:02:01.532316+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49710	104.21.77.78	443	TCP
2024-10-14T05:02:02.598655+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49713	172.67.140.193	443	TCP
2024-10-14T05:02:03.527443+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49716	104.21.30.221	443	TCP
2024-10-14T05:02:04.502673+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49718	172.67.141.136	443	TCP
2024-10-14T05:02:05.564571+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49719	188.114.97.3	443	TCP
2024-10-14T05:02:07.749283+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49721	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:09.109074+0200	2049812	1	A Network Trojan was detected	192.168.2.5	49722	172.67.206.204	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:04.044625+0200	2056559	1	Domain Observed Used for C2 Detected	192.168.2.5	49718	172.67.141.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:05.139955+0200	2056557	1	Domain Observed Used for C2 Detected	192.168.2.5	49719	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:03.093703+0200	2056561	1	Domain Observed Used for C2 Detected	192.168.2.5	49716	104.21.30.221	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:00.021290+0200	2056567	1	Domain Observed Used for C2 Detected	192.168.2.5	49708	172.67.152.13	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:58.574959+0200	2056571	1	Domain Observed Used for C2 Detected	192.168.2.5	49707	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:00.962003+0200	2056565	1	Domain Observed Used for C2 Detected	192.168.2.5	49710	104.21.77.78	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:02.052402+0200	2056563	1	Domain Observed Used for C2 Detected	192.168.2.5	49713	172.67.140.193	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:59.512216+0200	2056568	1	Domain Observed Used for C2 Detected	192.168.2.5	65375	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bleedminejw .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:58.047859+0200	2056542	1	Domain Observed Used for C2 Detected	192.168.2.5	62342	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:03.541002+0200	2056558	1	Domain Observed Used for C2 Detected	192.168.2.5	64637	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:04.611627+0200	2056556	1	Domain Observed Used for C2 Detected	192.168.2.5	51276	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:02.607429+0200	2056560	1	Domain Observed Used for C2 Detected	192.168.2.5	51801	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:59.522775+0200	2056566	1	Domain Observed Used for C2 Detected	192.168.2.5	51533	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:58.074676+0200	2056570	1	Domain Observed Used for C2 Detected	192.168.2.5	63308	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:00.464540+0200	2056564	1	Domain Observed Used for C2 Detected	192.168.2.5	53169	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:01.540713+0200	2056562	1	Domain Observed Used for C2 Detected	192.168.2.5	61370	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:02:06.889131+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49720	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 2.2.SoftWare(2).exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["drawwyobstacw.sbs", "mathcucom.sbs", "resinedyw.sbs", "enlargkiw.sbs", "ehticsprocw.sbs", "bleedminejw.buzz", "condifendteu.sbs", "vennurviot.sbs", "allocatinow.sbs"], "Build id": "LPnhqo--uoaywzyrlsoc"}

Multi AV Scanner detection for submitted file

Source: SoftWare(2).exe	ReversingLabs: Detection: 42%
Source: SoftWare(2).exe	Virustotal: Detection: 42%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: SoftWare(2).exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: condifendteu.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: vennurviot.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: resinedyw.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: enlargkiw.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: allocatinow.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: mathcucom.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: bleedminejw.buzz
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp	String decryptor: LPnhqo--uoaywzyrlsoc

Source: SoftWare(2).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49722 version: TLS 1.2

Source: SoftWare(2).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00787B87 FindFirstFileExW,		0_2_00787B87
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00787B87 FindFirstFileExW,		2_2_00787B87

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_546ea742dd48f46178dbb2b915245098904dcb1_95a35aca_fd133525-3c5c-41ae-bc01-a4509b427ecd\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_99eff584d7ae45d9eb7f2942b6104d7821b2b7b5_2927e4e7_43c31aa8-2cfa-4cc4-9dd5-bf9c1b22ee4c\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, ebx	0_2_007AA1CF
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_007C01C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, ebx	0_2_007AA1B8
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [ecx], dl	0_2_007AC2A8
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx eax, byte ptr [ebx+edx+01h]	0_2_0079C296
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 8784CCDEh	0_2_007DE320
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, edx	0_2_007CA3C8
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov edi, dword ptr [esp+08h]	0_2_0079C411
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_007A0520
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [ecx], dl	0_2_007AC5D5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+0000030Bh]	0_2_007CA430
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+0000030Bh]	0_2_007CA620
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	0_2_007C46A1
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx esi, byte ptr [ebx+eax-5FF9D2BBh]	0_2_007C2780
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov esi, dword ptr [esp]	0_2_007A6850
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov esi, dword ptr [esp+edx*4+2Ch]	0_2_007A6850
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_007CA844
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_007CA847
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-3Fh]	0_2_007D8960
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then push eax	0_2_007DA940
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_007C8AE0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_007DAB76
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-38B45DD5h]	0_2_007A8BF0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov ecx, eax	0_2_007C6C50
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov ebp, esi	0_2_007C6C50
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_007D6C10
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then xor byte ptr [esi+eax+00000404h], al	0_2_007CACE0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-104A1E79h]	0_2_007BACC6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp word ptr [ebx+ecx+02h], 0000h	0_2_007BACC6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+000000B4h]	0_2_007B8C89
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then push 4ACBA761h	0_2_007A8D4C
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], BBE848DDh	0_2_007DED80
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 731CDBF3h	0_2_007C0E10
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then jmp eax	0_2_007D4F57
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_007C9000
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov edx, ecx	0_2_007DD000
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 55EAC941h	0_2_007DB1E4
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	0_2_007C1270
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+6FDFE1EEh]	0_2_007CB318
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+14h]	0_2_007B94E8
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_007C94C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then jmp ecx	0_2_007DD494
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_007C5651
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_007C1638
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_007C1638
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, bl	0_2_007DD600
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_007CB6C6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+6F11CE57h]	0_2_007A9870
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov word ptr [ecx], di	0_2_007BB8EF
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+5EEC5E92h]	0_2_007DB899
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 62429966h	0_2_007BBBFD
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp eax, edx	0_2_007BBBFD
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_007D1C20
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 62429966h	0_2_007BBCD0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp eax, edx	0_2_007BBCD0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx eax, byte ptr [edx]	0_2_007DBD90
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, ebx	0_2_007A7ED0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx]	0_2_007C3E90
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_007BFF60
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 55EAC941h	2_2_004402A4
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [ecx], dl	2_2_00411385
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+5EEC5E92h]	2_2_00440762
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+6F11CE57h]	2_2_0040E930
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	2_2_0043FC36
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-38B45DD5h]	2_2_0040DCB0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, ebx	2_2_0040EE60
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00425020
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042E0C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov edx, ecx	2_2_004420C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then jmp ecx	2_2_004420C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, bl	2_2_004420C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_00425280
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0042A292
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx eax, byte ptr [ebx+edx+01h]	2_2_00401356
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [ecx], dl	2_2_00411368
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	2_2_00426330
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00426330
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00426330
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then jmp ecx	2_2_00442330
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, bl	2_2_00442330
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 8784CCDEh	2_2_004433E0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov edi, dword ptr [esp+08h]	2_2_004014D1
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, edx	2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+0000030Bh]	2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then xor byte ptr [esi+eax+00000404h], al	2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+6FDFE1EEh]	2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, edx	2_2_0042F488
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, bl	2_2_00442570
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_004055E0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_0042E580
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+14h]	2_2_0041E59E
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [ecx], dl	2_2_00411695
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_00429761
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov byte ptr [edi], dl	2_2_00430788
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx esi, byte ptr [ebx+eax-5FF9D2BBh]	2_2_00427840
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov esi, dword ptr [esp]	2_2_0040B910
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov esi, dword ptr [esp+edx*4+2Ch]	2_2_0040B910
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov word ptr [ecx], di	2_2_00420991
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov word ptr [ecx], di	2_2_004209A4
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then push eax	2_2_0043FA00
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-3Fh]	2_2_0043DA20
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then jmp ecx	2_2_00441B80
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, bl	2_2_00441B80
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042DBA0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+000000B4h]	2_2_0041DCC6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_0043BCD0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00436CE0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-104A1E79h]	2_2_0041FCB0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp word ptr [ebx+ecx+02h], 0000h	2_2_0041FCB0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov ecx, eax	2_2_0042BD10
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov ebp, esi	2_2_0042BD10
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 62429966h	2_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp eax, edx	2_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], BBE848DDh	2_2_00443E40
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx eax, byte ptr [edx]	2_2_00440E50
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then push 4ACBA761h	2_2_0040DE0C
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then jmp ecx	2_2_00441EE0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, bl	2_2_00441EE0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then jmp eax	2_2_00439E8A
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx]	2_2_00428F50
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then jmp ecx	2_2_00441FC0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then movzx edi, bl	2_2_00441FC0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 4x nop then mov eax, ebx	2_2_0040CF90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.5:51533 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.5:65375 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056542 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bleedminejw .buzz) : 192.168.2.5:62342 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.5:53169 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.5:49708 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.5:63308 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.5:64637 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.5:61370 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.5:49710 -> 104.21.77.78:443
Source: Network traffic	Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.5:49713 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.5:51276 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.5:51801 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.5:49716 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.5:49719 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.5:49718 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49719 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49720 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49719 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49710 -> 104.21.77.78:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49710 -> 104.21.77.78:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49716 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49722 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49713 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49713 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49718 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49718 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49722 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49721 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49721 -> 172.67.206.204:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: drawwyobstacw.sbs
Source: Malware configuration extractor	URLs: mathcucom.sbs
Source: Malware configuration extractor	URLs: resinedyw.sbs
Source: Malware configuration extractor	URLs: enlargkiw.sbs
Source: Malware configuration extractor	URLs: ehticsprocw.sbs
Source: Malware configuration extractor	URLs: bleedminejw.buzz
Source: Malware configuration extractor	URLs: condifendteu.sbs
Source: Malware configuration extractor	URLs: vennurviot.sbs
Source: Malware configuration extractor	URLs: allocatinow.sbs

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 172.67.152.13 172.67.152.13
Source: Joe Sandbox View	IP Address: 104.21.30.221 104.21.30.221

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=qEuMSc6rnoOw07.3fcU.Qak4OfZwqK1G3ybpwIQV99M-1728874927-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b7cb8c6e88b4056fce0b5c76; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 14 Oct 2024 03:02:06 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: bleedminejw.buzz
Source: global traffic	DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic	DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic	DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic	DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic	DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic	DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic	DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic	DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs

Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: SoftWare(2).exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: SoftWare(2).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SoftWare(2).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SoftWare(2).exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: SoftWare(2).exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: SoftWare(2).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SoftWare(2).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SoftWare(2).exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SoftWare(2).exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SoftWare(2).exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SoftWare(2).exe	String found in binary or memory: http://ocsp.entrust.net02
Source: SoftWare(2).exe	String found in binary or memory: http://ocsp.entrust.net03
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: SoftWare(2).exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: SoftWare(2).exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condifendteu.sbs/
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condifendteu.sbs/api
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs/
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2121876790.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs/api
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs:443/api
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/api
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/api07
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/api
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api2
Source: SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api=
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/Z-
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: SoftWare(2).exe, 00000002.00000003.2143756828.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-managction
Source: SoftWare(2).exe, 00000002.00000003.2143756828.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: SoftWare(2).exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49722 version: TLS 1.2

Source: C:\Users\user\Desktop\SoftWare(2).exe

Code function: 2_2_00434890 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00434890

Source: C:\Users\user\Desktop\SoftWare(2).exe

Code function: 2_2_00434890 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00434890

Source: C:\Users\user\Desktop\SoftWare(2).exe

Code function: 2_2_0043558E GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_0043558E

Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007CE060	0_2_007CE060
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007DC120	0_2_007DC120
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C01C0	0_2_007C01C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0079C1BF	0_2_0079C1BF
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0077E190	0_2_0077E190
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C4234	0_2_007C4234
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007D4290	0_2_007D4290
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0079C296	0_2_0079C296
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0079C35A	0_2_0079C35A
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007DE320	0_2_007DE320
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007D241A	0_2_007D241A
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A84A0	0_2_007A84A0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007B85CF	0_2_007B85CF
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0079E5C0	0_2_0079E5C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007BC6F0	0_2_007BC6F0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007D8690	0_2_007D8690
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007DE690	0_2_007DE690
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A2750	0_2_007A2750
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C2780	0_2_007C2780
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A6850	0_2_007A6850
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A89A0	0_2_007A89A0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007DEA00	0_2_007DEA00
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A4B39	0_2_007A4B39
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007B0B18	0_2_007B0B18
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C4C70	0_2_007C4C70
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C6C50	0_2_007C6C50
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007CACE0	0_2_007CACE0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007CACD6	0_2_007CACD6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007BACC6	0_2_007BACC6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A4D60	0_2_007A4D60
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007BCDB0	0_2_007BCDB0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00782D9D	0_2_00782D9D
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007DED80	0_2_007DED80
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00786E51	0_2_00786E51
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007D8FC0	0_2_007D8FC0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C8F88	0_2_007C8F88
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C9000	0_2_007C9000
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007D30BF	0_2_007D30BF
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A3120	0_2_007A3120
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007D5260	0_2_007D5260
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0077B25E	0_2_0077B25E
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A5220	0_2_007A5220
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A7570	0_2_007A7570
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0078B551	0_2_0078B551
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C75D0	0_2_007C75D0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A9870	0_2_007A9870
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007D3870	0_2_007D3870
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007B9840	0_2_007B9840
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007758F5	0_2_007758F5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A58B0	0_2_007A58B0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007DB899	0_2_007DB899
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007CBA18	0_2_007CBA18
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007D3AD0	0_2_007D3AD0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00771AC2	0_2_00771AC2
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C5AA1	0_2_007C5AA1
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007BBBFD	0_2_007BBBFD
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00789BCD	0_2_00789BCD
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007BBCD0	0_2_007BBCD0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A1D50	0_2_007A1D50
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007A5D40	0_2_007A5D40
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0079FD00	0_2_0079FD00
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C9D06	0_2_007C9D06
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00771D0A	0_2_00771D0A
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0079FD98	0_2_0079FD98
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007DDE10	0_2_007DDE10
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C5EC0	0_2_007C5EC0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007C3E90	0_2_007C3E90
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0043A320	2_2_0043A320
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00440762	2_2_00440762
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040E930	2_2_0040E930
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040EE60	2_2_0040EE60
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00442ED0	2_2_00442ED0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042E0C0	2_2_0042E0C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004420C0	2_2_004420C0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004270D8	2_2_004270D8
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0043E080	2_2_0043E080
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0043817F	2_2_0043817F
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00433120	2_2_00433120
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004081E0	2_2_004081E0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004411E0	2_2_004411E0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040127F	2_2_0040127F
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040A2E0	2_2_0040A2E0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004292F4	2_2_004292F4
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00425280	2_2_00425280
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042A292	2_2_0042A292
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004292A0	2_2_004292A0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00439350	2_2_00439350
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00401356	2_2_00401356
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00426330	2_2_00426330
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00442330	2_2_00442330
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004433E0	2_2_004433E0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042B42B	2_2_0042B42B
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004374DA	2_2_004374DA
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042F4F5	2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040D560	2_2_0040D560
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00442570	2_2_00442570
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0041D57E	2_2_0041D57E
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040C630	2_2_0040C630
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042EDC6	2_2_0042EDC6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004416E0	2_2_004416E0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00403680	2_2_00403680
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042C690	2_2_0042C690
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0043D750	2_2_0043D750
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00443750	2_2_00443750
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00430788	2_2_00430788
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004217B0	2_2_004217B0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00427840	2_2_00427840
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042C690	2_2_0042C690
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042E870	2_2_0042E870
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00407810	2_2_00407810
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040A970	2_2_0040A970
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0041E900	2_2_0041E900
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040B910	2_2_0040B910
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00438930	2_2_00438930
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040DA60	2_2_0040DA60
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00411A18	2_2_00411A18
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00443AC0	2_2_00443AC0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042AB2D	2_2_0042AB2D
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00415BD8	2_2_00415BD8
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00441B80	2_2_00441B80
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00438B90	2_2_00438B90
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0041DCC6	2_2_0041DCC6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0041FCB0	2_2_0041FCB0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00404D70	2_2_00404D70
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042BD10	2_2_0042BD10
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00429D30	2_2_00429D30
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042EDC6	2_2_0042EDC6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00439D8A	2_2_00439D8A
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00420D90	2_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0042AD9A	2_2_0042AD9A
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00443E40	2_2_00443E40
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00421E70	2_2_00421E70
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0040AE00	2_2_0040AE00
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00406E10	2_2_00406E10
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00409E20	2_2_00409E20
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00441EE0	2_2_00441EE0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00439E8A	2_2_00439E8A
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00428F50	2_2_00428F50
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00441FC0	2_2_00441FC0
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_007758F5	2_2_007758F5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0077E190	2_2_0077E190
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0077B25E	2_2_0077B25E
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00771AC2	2_2_00771AC2
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00789BCD	2_2_00789BCD
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0078B551	2_2_0078B551
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00771D0A	2_2_00771D0A
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00782D9D	2_2_00782D9D
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00786E51	2_2_00786E51

Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: String function: 0040C430 appears 73 times
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: String function: 007A7370 appears 103 times
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: String function: 00781CFA appears 40 times
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: String function: 0041C410 appears 189 times
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: String function: 007B7350 appears 189 times
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: String function: 0077C1A5 appears 42 times
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: String function: 007761F0 appears 104 times

Source: C:\Users\user\Desktop\SoftWare(2).exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 308

Source: SoftWare(2).exe

Static PE information: invalid certificate

Source: SoftWare(2).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SoftWare(2).exe

Static PE information: Section: .data ZLIB complexity 0.9907404119318182

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/13@11/8

Source: C:\Users\user\Desktop\SoftWare(2).exe

Code function: 2_2_00425020 CoCreateInstance,

2_2_00425020

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6096
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1708

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5c56724c-d368-42cb-ace7-94fe3149d7f5

Jump to behavior

Source: SoftWare(2).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SoftWare(2).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoftWare(2).exe	ReversingLabs: Detection: 42%
Source: SoftWare(2).exe	Virustotal: Detection: 42%

Source: C:\Users\user\Desktop\SoftWare(2).exe

File read: C:\Users\user\Desktop\SoftWare(2).exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SoftWare(2).exe "C:\Users\user\Desktop\SoftWare(2).exe"
Source: C:\Users\user\Desktop\SoftWare(2).exe	Process created: C:\Users\user\Desktop\SoftWare(2).exe "C:\Users\user\Desktop\SoftWare(2).exe"
Source: C:\Users\user\Desktop\SoftWare(2).exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 308
Source: C:\Users\user\Desktop\SoftWare(2).exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1656
Source: C:\Users\user\Desktop\SoftWare(2).exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1712
Source: C:\Users\user\Desktop\SoftWare(2).exe	Process created: C:\Users\user\Desktop\SoftWare(2).exe "C:\Users\user\Desktop\SoftWare(2).exe"	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SoftWare(2).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SoftWare(2).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007CCCA1 push es; ret	0_2_007CCCA3
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007E1233 push FFFFFFD4h; iretd	0_2_007E1236
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_007CD3BE push es; mov dword ptr [esp], eax	0_2_007CD3E2
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0077570F push ecx; ret	0_2_00775722
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00771F88 push eax; ret	0_2_00771FE4
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0044903D push FFFFFFD0h; retf	2_2_0044903F
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_004470F3 push FFFFFFD4h; iretd	2_2_004470F6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0043247E push es; mov dword ptr [esp], eax	2_2_004324A2
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0044A5B4 push ebx; retf 0041h	2_2_0044A5B5
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0044A5B8 push ebx; retf 0041h	2_2_0044A5B9
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00431D61 push es; ret	2_2_00431D63
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0077570F push ecx; ret	2_2_00775722
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00771F88 push eax; ret	2_2_00771FE4

Source: C:\Users\user\Desktop\SoftWare(2).exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe	API coverage: 5.2 %
Source: C:\Users\user\Desktop\SoftWare(2).exe	API coverage: 5.6 %

Source: C:\Users\user\Desktop\SoftWare(2).exe TID: 3364

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00787B87 FindFirstFileExW,		0_2_00787B87
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00787B87 FindFirstFileExW,		2_2_00787B87

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_546ea742dd48f46178dbb2b915245098904dcb1_95a35aca_fd133525-3c5c-41ae-bc01-a4509b427ecd\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_99eff584d7ae45d9eb7f2942b6104d7821b2b7b5_2927e4e7_43c31aa8-2cfa-4cc4-9dd5-bf9c1b22ee4c\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW O
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SoftWare(2).exe

API call chain: ExitProcess graph end node

graph_2-34056

Source: C:\Users\user\Desktop\SoftWare(2).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe

Code function: 2_2_0043A320 LdrInitializeThunk,

2_2_0043A320

Source: C:\Users\user\Desktop\SoftWare(2).exe

Code function: 0_2_0077BE0F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0077BE0F

Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00782B19 mov eax, dword ptr fs:[00000030h]	0_2_00782B19
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00771FEA mov edi, dword ptr fs:[00000030h]	0_2_00771FEA
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00782B5D mov eax, dword ptr fs:[00000030h]	0_2_00782B5D
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0077F4C6 mov ecx, dword ptr fs:[00000030h]	0_2_0077F4C6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00782B5D mov eax, dword ptr fs:[00000030h]	2_2_00782B5D
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00782B19 mov eax, dword ptr fs:[00000030h]	2_2_00782B19
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0077F4C6 mov ecx, dword ptr fs:[00000030h]	2_2_0077F4C6
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00771FEA mov edi, dword ptr fs:[00000030h]	2_2_00771FEA

Source: C:\Users\user\Desktop\SoftWare(2).exe

Code function: 0_2_0078ACE2 GetProcessHeap,

0_2_0078ACE2

Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00776120 SetUnhandledExceptionFilter,	0_2_00776120
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00775C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00775C64
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_0077BE0F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0077BE0F
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 0_2_00775F93 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00775F93
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00776120 SetUnhandledExceptionFilter,	2_2_00776120
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00775C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00775C64
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_0077BE0F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0077BE0F
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: 2_2_00775F93 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00775F93

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SoftWare(2).exe

Memory written: C:\Users\user\Desktop\SoftWare(2).exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: SoftWare(2).exe	String found in binary or memory: enlargkiw.sbs
Source: SoftWare(2).exe	String found in binary or memory: allocatinow.sbs
Source: SoftWare(2).exe	String found in binary or memory: mathcucom.sbs
Source: SoftWare(2).exe	String found in binary or memory: bleedminejw.buzz
Source: SoftWare(2).exe	String found in binary or memory: drawwyobstacw.sbs
Source: SoftWare(2).exe	String found in binary or memory: condifendteu.sbs
Source: SoftWare(2).exe	String found in binary or memory: ehticsprocw.sbs
Source: SoftWare(2).exe	String found in binary or memory: vennurviot.sbs
Source: SoftWare(2).exe	String found in binary or memory: resinedyw.sbs

Source: C:\Users\user\Desktop\SoftWare(2).exe

Process created: C:\Users\user\Desktop\SoftWare(2).exe "C:\Users\user\Desktop\SoftWare(2).exe"

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0078A11C
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: EnumSystemLocalesW,	0_2_0078A3BE
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: EnumSystemLocalesW,	0_2_0078A409
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: EnumSystemLocalesW,	0_2_0078A4A4
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0078A52F
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,	0_2_0078A782
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0078A8AB
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,	0_2_0078A9B1
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0078AA80
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: EnumSystemLocalesW,	0_2_00781A66
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,	0_2_00781F50
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0078A8AB
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_0078A11C
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,	2_2_0078A9B1
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: EnumSystemLocalesW,	2_2_00781A66
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0078AA80
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: EnumSystemLocalesW,	2_2_0078A3BE
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: EnumSystemLocalesW,	2_2_0078A409
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: EnumSystemLocalesW,	2_2_0078A4A4
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0078A52F
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,	2_2_00781F50
Source: C:\Users\user\Desktop\SoftWare(2).exe	Code function: GetLocaleInfoW,	2_2_0078A782

Source: C:\Users\user\Desktop\SoftWare(2).exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe

Code function: 0_2_007751AF GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_007751AF

Source: C:\Users\user\Desktop\SoftWare(2).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.SoftWare(2).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SoftWare(2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SoftWare(2).exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.SoftWare(2).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SoftWare(2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SoftWare(2).exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SoftWare(2).exe	42%	ReversingLabs	Win32.Trojan.Lumma
SoftWare(2).exe	42%	Virustotal		Browse
SoftWare(2).exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://avatars.akamai.steamstatic	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
condifendteu.sbs	172.67.141.136	true	true	unknown
steamcommunity.com	104.102.49.254	true	true	unknown
vennurviot.sbs	172.67.140.193	true	true	unknown
drawwyobstacw.sbs	188.114.97.3	true	true	unknown
mathcucom.sbs	188.114.97.3	true	true	unknown
sergei-esenin.com	172.67.206.204	true	true	unknown
ehticsprocw.sbs	104.21.30.221	true	true	unknown
resinedyw.sbs	104.21.77.78	true	true	unknown
enlargkiw.sbs	172.67.152.13	true	true	unknown
allocatinow.sbs	unknown	unknown	true	unknown
bleedminejw.buzz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
enlargkiw.sbs	true		unknown
allocatinow.sbs	true		unknown
drawwyobstacw.sbs	true		unknown
mathcucom.sbs	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vennurviot.sbs/api	true		unknown
ehticsprocw.sbs	true		unknown
condifendteu.sbs	true		unknown
https://drawwyobstacw.sbs/api	true		unknown
bleedminejw.buzz	true		unknown
https://resinedyw.sbs/api	true		unknown
https://mathcucom.sbs/api	true		unknown
resinedyw.sbs	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	SoftWare(2).exe, 00000002.00000003.2143756828.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/	SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/Z-	SoftWare(2).exe, 00000002.00000003.2121876790.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/subscriber_agreement/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drawwyobstacw.sbs:443/api	SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steam.tv/	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/api07	SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.entrust.net/rpa03	SoftWare(2).exe	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sketchfab.com	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-error-landing	SoftWare(2).exe, 00000002.00000003.2143756828.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic	SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	SoftWare(2).exe	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	SoftWare(2).exe	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	SoftWare(2).exe	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	SoftWare(2).exe	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/api=	SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://medal.tv	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/api2	SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.cloudflare.com/learning/access-managction	SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/ts1ca.crl0	SoftWare(2).exe	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	SoftWare(2).exe	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	drawwyobstacw.sbs	European Union	13335	CLOUDFLARENETUS	true
172.67.152.13	enlargkiw.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.30.221	ehticsprocw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.141.136	condifendteu.sbs	United States	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
172.67.140.193	vennurviot.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.77.78	resinedyw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.206.204	sergei-esenin.com	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532890
Start date and time:	2024-10-14 05:01:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SoftWare(2).exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/13@11/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 84% Number of executed functions: 16 Number of non-executed functions: 188
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:01:57	API Interceptor	6x Sleep call for process: SoftWare(2).exe modified
23:02:15	API Interceptor	3x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	kitaygorod.top/EternalProcessorMultiwordpressdleTempcentraltemporary.php
	http://host.cloudsonicwave.com	Get hash	malicious	Unknown	Browse	host.cloudsonicwave.com/favicon.ico
	alWUxZvrvU.exe	Get hash	malicious	FormBook	Browse	www.avantfize.shop/q8x9/
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/fxts/
	RRjzYVukzs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exe	Get hash	malicious	FormBook	Browse	www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	http://embittermentdc.com	Get hash	malicious	Unknown	Browse	embittermentdc.com/favicon.ico
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	paste.ee/d/gvOd3
172.67.152.13	Setup.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse
	Wintohdd.exe	Get hash	malicious	LummaC	Browse
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse
	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse
104.21.30.221	Setup.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
	Solara.exe	Get hash	malicious	LummaC	Browse
	Wintohdd.exe	Get hash	malicious	LummaC	Browse
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse
	Solara.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	CachemanTray_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse
	vsYkceYJOX.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
drawwyobstacw.sbs	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
vennurviot.sbs	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
condifendteu.sbs	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.15503.22039.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	104.20.86.8
CLOUDFLARENETUS	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	104.20.86.8
CLOUDFLARENETUS	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	104.20.86.8
CLOUDFLARENETUS	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	104.20.86.8
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	23.212.89.10
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	2.19.126.150
	SecuriteInfo.com.Win32.Evo-gen.15503.22039.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204
	FACTURA.cmd	Get hash	malicious	DBatLoader	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204
	20Listen.eml	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204
	SecuriteInfo.com.Win32.Evo-gen.15503.22039.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 172.67.140.193 104.21.77.78 172.67.206.204

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_546ea742dd48f46178dbb2b915245098904dcb1_95a35aca_fd133525-3c5c-41ae-bc01-a4509b427ecd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.008502315544119
Encrypted:	false
SSDEEP:	192:PpBCN9WWcn0BU/YjGm+NzuiFUZ24IO8r:iN95c0BU/YjUzuiFUY4IO8r
MD5:	5C5D20600B5BA865D2E96FBE2B4C5C28
SHA1:	7A25A6F2FD66DBB6236AAF20F0FFDDCFAA144BD7
SHA-256:	EAB3CF698194219CA9AB429B8615E1717FC854FED9A0505A168AE4BA805EB2C5
SHA-512:	5562F920F42122CE4A561ECEA478BE7FC783EEF88BEBC1A76480BF124B10AF1B031613DD9D757FCDC56053C5FDE762BF7F27A1EA83221973C9BB4EC457A6ED2C
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.4.8.5.2.9.0.6.2.2.3.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.4.8.5.2.9.5.9.3.4.7.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.1.3.3.5.2.5.-.3.c.5.c.-.4.1.a.e.-.b.c.0.1.-.a.4.5.0.9.b.4.2.7.e.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.c.7.1.5.f.d.-.d.d.5.e.-.4.9.0.2.-.b.7.7.0.-.d.f.5.b.9.a.5.c.1.c.9.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.o.f.t.W.a.r.e.(.2.)...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.a.c.-.0.0.0.1.-.0.0.1.4.-.0.5.f.8.-.2.d.6.e.e.5.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.9.f.1.5.5.e.c.2.c.e.6.d.3.f.4.6.3.2.f.6.7.2.5.9.7.8.d.0.e.9.e.0.0.0.0.f.f.f.f.!.0.0.0.0.6.a.8.d.7.5.2.7.f.2.2.9.9.d.7.0.0.0.9.1.d.8.d.b.f.a.f.c.1.8.7.1.6.2.4.1.6.e.3.c.!.S.o.f.t.W.a.r.e.(.2.)...e.x.e.....T.a.r.g.e.t.A.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_8ee5b464331c84393527985073a16c78d63b1b_95a35aca_209ad8ac-ebfc-4dd4-bc55-8141efb30f65\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.013700158186463
Encrypted:	false
SSDEEP:	96:ijk7FZWWosRh41yLTSuQXIDcQ3c6VcExcw3k+HbHggggS/Yy2rLhOyRxDfQLPF5W:ig7rWWoH05RLRjGm+NzuiFvZ24IO8e
MD5:	5064ED02A183462C663D9929B88024EE
SHA1:	F0275C791B37041BFCCC871696EFD0712933F30A
SHA-256:	E800EA74CFD73483ED0936198B2850467575F7E2ABAAF833FC0BCFA70F14CD28
SHA-512:	C66D4DC7145D6F609A01F715183F7E04DA8EF664188CB7526F326AEE2C4B62AABD539D7C75A90D47776092AF43F93B868EF29964377F51ED9E55E984A8EE785B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.4.8.5.3.6.4.0.8.9.3.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.4.8.5.3.7.3.6.2.0.6.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.9.a.d.8.a.c.-.e.b.f.c.-.4.d.d.4.-.b.c.5.5.-.8.1.4.1.e.f.b.3.0.f.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.a.9.0.a.9.6.-.b.e.2.0.-.4.c.5.3.-.9.2.f.b.-.f.5.2.6.5.0.5.3.a.3.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.o.f.t.W.a.r.e.(.2.)...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.a.c.-.0.0.0.1.-.0.0.1.4.-.0.5.f.8.-.2.d.6.e.e.5.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.9.f.1.5.5.e.c.2.c.e.6.d.3.f.4.6.3.2.f.6.7.2.5.9.7.8.d.0.e.9.e.0.0.0.0.f.f.f.f.!.0.0.0.0.6.a.8.d.7.5.2.7.f.2.2.9.9.d.7.0.0.0.9.1.d.8.d.b.f.a.f.c.1.8.7.1.6.2.4.1.6.e.3.c.!.S.o.f.t.W.a.r.e.(.2.)...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_99eff584d7ae45d9eb7f2942b6104d7821b2b7b5_2927e4e7_43c31aa8-2cfa-4cc4-9dd5-bf9c1b22ee4c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.723371410201109
Encrypted:	false
SSDEEP:	192:iHMHFgnWWkdu0BU/YjuGzuiFUZ24IO8er:c5kdVBU/YjfzuiFUY4IO8er
MD5:	4BEE6E056A7A59CE63A5929D95B2CBB8
SHA1:	88EF94AFDC11D713B6A735AF5513D548C7BC5589
SHA-256:	B82384248197E4CB5F6C4BAA222436CC84A6FF73D05F21E92EA2C3FBF7F1DD1F
SHA-512:	C00772124455AD1E6849D5E13049511E7398BCB6BC29F9DFC67D9A91141E17D993E235C283FFD6245163819BCDCCE365291E61E119B0261E2AF194554A88EE6C
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.4.8.5.1.7.6.4.8.1.3.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.4.8.5.1.8.5.2.3.1.3.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.c.3.1.a.a.8.-.2.c.f.a.-.4.c.c.4.-.9.d.d.5.-.b.f.9.c.1.b.2.2.e.e.4.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.9.6.c.b.d.5.-.1.9.6.1.-.4.f.a.3.-.9.5.6.3.-.7.a.c.b.8.4.c.8.8.c.6.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.o.f.t.W.a.r.e.(.2.)...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.d.0.-.0.0.0.1.-.0.0.1.4.-.6.4.b.8.-.8.3.6.d.e.5.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.9.f.1.5.5.e.c.2.c.e.6.d.3.f.4.6.3.2.f.6.7.2.5.9.7.8.d.0.e.9.e.0.0.0.0.f.f.f.f.!.0.0.0.0.6.a.8.d.7.5.2.7.f.2.2.9.9.d.7.0.0.0.9.1.d.8.d.b.f.a.f.c.1.8.7.1.6.2.4.1.6.e.3.c.!.S.o.f.t.W.a.r.e.(.2.)...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1064.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 14 03:02:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	124166
Entropy (8bit):	1.9590336393102041
Encrypted:	false
SSDEEP:	384:rkCRjkBAoH7L//omueR2GSbznb9rYkQPHO/BscupqMuZxJbpqR:r7RjkBPoNYGmkagBiIHkR
MD5:	D011FCCF719959B4A8B82E9C22A022AE
SHA1:	BC56DE6C1021D079A24568C77C4592DF9A1E387B
SHA-256:	505DBD2B06040CA74FCDE179132FB4E64C8EB17FC5AD03DFDE048BF35A492434
SHA-512:	8866F10CD7869CA74FE0238602A87BD5EB6AAA02785CA0E23522D448DE5086196627556090723E8A154933CD86D4AE227B8B7B47A8BC23013A6B4ADAC9DD6330
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g............................(.......T...."...........M..........`.......8...........T............A..V...........d"..........P$..............................................................................eJ.......$......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER117E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8308
Entropy (8bit):	3.6971879645204297
Encrypted:	false
SSDEEP:	192:R6l7wVeJrq6cne6Y8Z6kgmfl3prD89bynsf7JGm:R6lXJm696Yq6kgmfluysf7R
MD5:	18E55DC8D152A2EF3520E26879E7346A
SHA1:	E9A6DAC0C1D5A3E418807F66784BEA975DD05C3A
SHA-256:	D9E0AACF7C885A930BEBCADDFDE5EA01BFD115F4386A1C3AD4C5318A575359B5
SHA-512:	184E66A39B44AF7693B0A270DBAB0083453C2AFFC7417736750974F3B2E5D54E06BCBC31A041FDCB5DAF157BE3D158F71D11817A11C0FB8AF1070ACAE5D9692F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER11AE.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4586
Entropy (8bit):	4.464666783747673
Encrypted:	false
SSDEEP:	48:cvIwWl8zsoJg77aI9bIWpW8VYhYm8M4J0oLFZA+q8w9uJTd:uIjfuI7Fh7VBJ073uJTd
MD5:	1CD5652C1E80E12736B624291A55229F
SHA1:	6A7B99F2F815A6DE7B01055F965947484F8D3952
SHA-256:	CAAEC9CB657655AEA5C78B9367B8CEFE55853160C3A88C3152CB448289355FE1
SHA-512:	4C0171AF573C4FFC211358CFF037E25F4C9DDF914DFE0B428EB1F867B6640AB27EE847F81859251D3116E02AE4C2F42CA390F87B9A1F800A442490C82FB1B69F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542524" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D23.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 14 03:02:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	124672
Entropy (8bit):	1.9662740267344667
Encrypted:	false
SSDEEP:	384:6ZkCkwkB98ypFvpoH7E/VRmueR2GSbznb9rYLozekPBWs8FuXrY4PHm:g7VkB98yv1RNYGmLuBWvVCHm
MD5:	19BE9A8B50774E5FFF2EF315159EE2BA
SHA1:	37B9D35C3DAF3D55864A291D6488D30F4342A381
SHA-256:	D13722AFA09591B6AB223AA0E7483F3DDA74B4657FE81FE922CB4CE313413B35
SHA-512:	4B271E93D5DE7951D29AE9EE8F910390CB9DFF777F151B133318FD662DEE375EE98429094056AE1616CDE76379C35A1A512703A46ED089BED1B79835521A9448
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g............................(.......T...."...........M..........`.......8...........T...........PB..............d"..........P$..............................................................................eJ.......$......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F47.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	3.688289835075537
Encrypted:	false
SSDEEP:	192:R6l7wVeJrb6LGne6Y8D6kgmflJPlpDH89b9nsf3fm:R6lXJn676Yg6kgmflJPI9sfu
MD5:	E1818C973C53E22F64FF3C8EAA8DEB4C
SHA1:	0FE03221CE5DB28904F51E952C6EE48B94CECA79
SHA-256:	7FC11BE05495FD7FEF1A9D101FADDDFF7161D9C81DD92179C3A0653C528B047D
SHA-512:	FDBD931AE8C05FE8D6B6AC53D441C62F797C6DF6B7BA3A8AF0DD1DD61F3C5B12FB5EC807C9F11B4A61ADA95C3156C191F66CE035E13D3C234819F03B13100E77
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F96.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4691
Entropy (8bit):	4.446408227912602
Encrypted:	false
SSDEEP:	48:cvIwWl8zsoJg77aI9bIWpW8VYaYm8M4J0ohF78G+q8v4juJTd:uIjfuI7Fh7VWJ0mKouJTd
MD5:	6C215CC028A93DBE9937A3E718134706
SHA1:	0BA7D9462E6B3AE610BE69982D7EF5C058C697E8
SHA-256:	2B5E7F4A433F021D4F9A6BBE856DB3CBD1F9EA3125151F149EE5E862E4ABC154
SHA-512:	6E2D7F91BF4B558C44D6880909FA7FD95D897F5C47725C3455231C3D64F814B4CCD6E158DAC44FD0F2D670AA9C5C833D70D1702C125E6D25BFD9C48B4BBFF45C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542524" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3D5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 14 03:01:58 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43088
Entropy (8bit):	1.6748656518583522
Encrypted:	false
SSDEEP:	96:578DkMqC8m5QyhaUqLZ1i7X9VZe9ZJB5R9hnhKQ7heIX0ofBqgNWIkWIDXImhlM6:WD1wLZ1OkDzFhntrUhlMgz
MD5:	6C855009C1EFAEB949341D8203428A59
SHA1:	45B81D4A86605D04979EDA4C33FD10FDCA53FA68
SHA-256:	B08D028921761C21A38A523FC6258E5A5DDFA720960C2C8906542571AB046E26
SHA-512:	E6E0BABC37D3F56E346E616BF25F84D1D2732DE6BC8285C9EC97B448DDECC56C54FA9CFFFFF4FAA94A1E17B93478F1A0710BAB022CE52C09C3D24C25E466D727
Malicious:	false
Preview:	MDMP..a..... ..........g........................0...........4...t!..........T.......8...........T...............8.......................................................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE619.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8408
Entropy (8bit):	3.6981138379512055
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8B686YEIsSUnlgmf23prt89b9Gsfd/m:R6lXJq686YETSUnlgmf2g9lfo
MD5:	A4763C30AEE78979ECADC05FF14A2BEE
SHA1:	85294E0DC88C12E70F75F2008D1EA6EF170D777C
SHA-256:	5E74361FD5B687912EDC64251A510195A58B139E516A184BAAC6D6E513FAF425
SHA-512:	5D5E97C89B250569F78D9E8CC27A3C178C00899C503A3C0D126CF8327AF65C9120E0C7D5E469EBBD72291C23FCAAEC51A10F8E15F6864F10AFFFD5B7F7B58DFD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE648.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4725
Entropy (8bit):	4.4828219144331
Encrypted:	false
SSDEEP:	48:cvIwWl8zsoJg77aI9bIWpW8VYDNYm8M4J0vJFE+q8v/W3uJ5d:uIjfuI7Fh7VeMJ0wKu3uJ5d
MD5:	F474DA4013CBBD149FEEE948C31EFC6D
SHA1:	04B1D12E85F0DE62872C5AB5E010A4C21A65F018
SHA-256:	4464D3C409C1BA7A31084315A51BBE667DA8CBDE48D2F7F4E3EE471D5BFEB9FB
SHA-512:	B2E9AD17626BF20B9977A12FA51687AFECFB01F04C32F998968439A0879940784BE0829FD26C0B73DFB4328B4F79CE8CFC5DADAFB74A9B229AF6E01EFB414E08
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542524" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421567581602444
Encrypted:	false
SSDEEP:	6144:fSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNw0uhiTw:qvloTMW+EZMM6DFyi03w
MD5:	31F670B5F4D2EC30F9052E07AB06E4B2
SHA1:	F943C43909AAD4377DAC9F0E87E1ECD0F7B65C0F
SHA-256:	360FA53AE4F61F040A515D71750C2CE5662C10D94E054A9E6E66C440974253B7
SHA-512:	4B8C7E6BC276496D7AB395337E96F3FD3277B887CFBD8788ABD33BB4F1FFAE87C28E6F3A0ADE6844EF2D5E44975D7CB46B7B96919E295BD95EF08FC627B50FEA
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..\n..................................................................................................................................................................................................................................................................................................................................................KZ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.709433961729613
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SoftWare(2).exe
File size:	526'376 bytes
MD5:	7b0d68253d0ee4679ec73a41ca863991
SHA1:	6a8d7527f2299d700091d8dbfafc187162416e3c
SHA256:	c6758c468acae7447f8f9b1a15039a30f4d4a18a15fede5fd8265fba9056be8e
SHA512:	036febf23c33de7f17652c9abb07efecb37e2ca960336504087a89649de827ed35184607b5d81230cbe0eed5d517a76976e4633d86e8d11d4741c94c35bfc164
SSDEEP:	12288:NHrgFkQcXp2B46eJujlxyjv3Ddg6EwkACFJZETOHY5e74+EO:NLgFk1p2B9eInkCFH1HY5Ujt
TLSH:	E9B4F11575C08073C5B359321AE4D6B0AE7EB9300F629D9FA3A40F7E4F352C1A625B6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..o!..<!..<!..<...=-..<...=...<...=4..<1M.=4..<1M.=3..<...=$..<!..<Z..<1M.=u..<iL.= ..<iL.= ..<Rich!..<................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4054b4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x670C1AA6 [Sun Oct 13 19:08:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b7ebfc2ac31d5223dc33b9386c1e726b

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007FEC18C430AFh
jmp 00007FEC18C4250Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FEC18C426ABh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FEC18C4269Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FEC18C4269Eh
add edx, 28h
cmp edx, esi
jne 00007FEC18C4267Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FEC18C4268Bh
push esi
call 00007FEC18C433C2h
test eax, eax
je 00007FEC18C426B2h
mov eax, dword ptr fs:[00000018h]
mov esi, 0047DB64h
mov edx, dword ptr [eax+04h]
jmp 00007FEC18C42696h
cmp edx, eax
je 00007FEC18C426A2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007FEC18C42682h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FEC18C42699h
mov byte ptr [0047DB68h], 00000001h
call 00007FEC18C42A41h
call 00007FEC18C45975h
test al, al
jne 00007FEC18C42696h
xor al, al
pop ebp
ret
call 00007FEC18C4E2FFh
test al, al
jne 00007FEC18C4269Ch
push 00000000h
call 00007FEC18C4597Ch
pop ecx
jmp 00007FEC18C4267Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0047DB69h], 00000000h
je 00007FEC18C42696h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a678	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7e200	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0x1aac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x28c58	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x28b98	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x21000	0x158	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f734	0x1f800	d0ba337e5b55f10417e619243cd1cb33	False	0.5866970486111112	data	6.643433612143401	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x21000	0x9e62	0xa000	043c77307c7b39a67412b25ec0c98504	False	0.434814453125	data	4.950169841431272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x53784	0x52800	dbdb55d7bcc09d9c99407fbaacbdb1ff	False	0.9907404119318182	data	7.991551854149156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x7f000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x80000	0x1aac	0x1c00	edbc17efc9f29c315cc9db334a393029	False	0.7308872767857143	data	6.415878472175037	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

USER32.dll

ShowWindow

KERNEL32.dll

GetStartupInfoW, CreateFileW, CloseHandle, GetConsoleWindow, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, GetCurrentThreadId, WaitForSingleObjectEx, GetExitCodeThread, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, WriteConsoleW, HeapSize, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, ReadConsoleW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T05:01:58.047859+0200	2056542	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bleedminejw .buzz)	1	192.168.2.5	62342	1.1.1.1	53	UDP
2024-10-14T05:01:58.074676+0200	2056570	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)	1	192.168.2.5	63308	1.1.1.1	53	UDP
2024-10-14T05:01:58.574959+0200	2056571	ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)	1	192.168.2.5	49707	188.114.97.3	443	TCP
2024-10-14T05:01:59.507065+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49707	188.114.97.3	443	TCP
2024-10-14T05:01:59.507065+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49707	188.114.97.3	443	TCP
2024-10-14T05:01:59.512216+0200	2056568	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)	1	192.168.2.5	65375	1.1.1.1	53	UDP
2024-10-14T05:01:59.522775+0200	2056566	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)	1	192.168.2.5	51533	1.1.1.1	53	UDP
2024-10-14T05:02:00.021290+0200	2056567	ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)	1	192.168.2.5	49708	172.67.152.13	443	TCP
2024-10-14T05:02:00.461098+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49708	172.67.152.13	443	TCP
2024-10-14T05:02:00.461098+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	172.67.152.13	443	TCP
2024-10-14T05:02:00.464540+0200	2056564	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)	1	192.168.2.5	53169	1.1.1.1	53	UDP
2024-10-14T05:02:00.962003+0200	2056565	ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)	1	192.168.2.5	49710	104.21.77.78	443	TCP
2024-10-14T05:02:01.532316+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49710	104.21.77.78	443	TCP
2024-10-14T05:02:01.532316+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49710	104.21.77.78	443	TCP
2024-10-14T05:02:01.540713+0200	2056562	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)	1	192.168.2.5	61370	1.1.1.1	53	UDP
2024-10-14T05:02:02.052402+0200	2056563	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)	1	192.168.2.5	49713	172.67.140.193	443	TCP
2024-10-14T05:02:02.598655+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49713	172.67.140.193	443	TCP
2024-10-14T05:02:02.598655+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49713	172.67.140.193	443	TCP
2024-10-14T05:02:02.607429+0200	2056560	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)	1	192.168.2.5	51801	1.1.1.1	53	UDP
2024-10-14T05:02:03.093703+0200	2056561	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)	1	192.168.2.5	49716	104.21.30.221	443	TCP
2024-10-14T05:02:03.527443+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49716	104.21.30.221	443	TCP
2024-10-14T05:02:03.527443+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49716	104.21.30.221	443	TCP
2024-10-14T05:02:03.541002+0200	2056558	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)	1	192.168.2.5	64637	1.1.1.1	53	UDP
2024-10-14T05:02:04.044625+0200	2056559	ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)	1	192.168.2.5	49718	172.67.141.136	443	TCP
2024-10-14T05:02:04.502673+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49718	172.67.141.136	443	TCP
2024-10-14T05:02:04.502673+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49718	172.67.141.136	443	TCP
2024-10-14T05:02:04.611627+0200	2056556	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)	1	192.168.2.5	51276	1.1.1.1	53	UDP
2024-10-14T05:02:05.139955+0200	2056557	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)	1	192.168.2.5	49719	188.114.97.3	443	TCP
2024-10-14T05:02:05.564571+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49719	188.114.97.3	443	TCP
2024-10-14T05:02:05.564571+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49719	188.114.97.3	443	TCP
2024-10-14T05:02:06.889131+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49720	104.102.49.254	443	TCP
2024-10-14T05:02:07.749283+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49721	172.67.206.204	443	TCP
2024-10-14T05:02:07.749283+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49721	172.67.206.204	443	TCP
2024-10-14T05:02:09.109074+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49722	172.67.206.204	443	TCP
2024-10-14T05:02:09.109074+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49722	172.67.206.204	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 05:01:58.091272116 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:58.091373920 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:58.091464996 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:58.093226910 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:58.093269110 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:58.574816942 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:58.574959040 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:58.668615103 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:58.668694973 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:58.669698000 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:58.724608898 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:59.092556000 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:59.092556000 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:59.092863083 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:59.507042885 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:59.507945061 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:59.508070946 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:59.509176016 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:59.509176016 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:01:59.509246111 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:59.509283066 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 14, 2024 05:01:59.541218042 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:01:59.541311026 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:01:59.541409969 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:01:59.541841984 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:01:59.541872025 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:02:00.021049023 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:02:00.021290064 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:02:00.025199890 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:02:00.025223970 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:02:00.025649071 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:02:00.027462959 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:02:00.027462959 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:02:00.027585030 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:02:00.461148024 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:02:00.461388111 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:02:00.461472988 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:02:00.461817980 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:02:00.461864948 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:02:00.461894989 CEST	49708	443	192.168.2.5	172.67.152.13
Oct 14, 2024 05:02:00.461910009 CEST	443	49708	172.67.152.13	192.168.2.5
Oct 14, 2024 05:02:00.479578018 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:00.479644060 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:00.479743004 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:00.480211973 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:00.480243921 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:00.961915016 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:00.962002993 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:00.964742899 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:00.964776039 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:00.965182066 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:00.967628002 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:00.967680931 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:00.967737913 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:01.532360077 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:01.532633066 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:01.532851934 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:01.532953024 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:01.532953024 CEST	49710	443	192.168.2.5	104.21.77.78
Oct 14, 2024 05:02:01.532996893 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:01.533024073 CEST	443	49710	104.21.77.78	192.168.2.5
Oct 14, 2024 05:02:01.554492950 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:01.554582119 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:01.554755926 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:01.555058002 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:01.555093050 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:02.052002907 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:02.052402020 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:02.162132978 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:02.162213087 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:02.163099051 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:02.173794985 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:02.173933029 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:02.174012899 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:02.598691940 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:02.598917007 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:02.599033117 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:02.599181890 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:02.599225998 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:02.599256992 CEST	49713	443	192.168.2.5	172.67.140.193
Oct 14, 2024 05:02:02.599272013 CEST	443	49713	172.67.140.193	192.168.2.5
Oct 14, 2024 05:02:02.619853020 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:02.619935989 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:02.620033979 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:02.620357990 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:02.620393991 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:03.093487024 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:03.093703032 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:03.095590115 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:03.095621109 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:03.095962048 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:03.097378969 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:03.097417116 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:03.097465992 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:03.527457952 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:03.527575970 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:03.527653933 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:03.527879953 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:03.527924061 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:03.527951002 CEST	49716	443	192.168.2.5	104.21.30.221
Oct 14, 2024 05:02:03.527966976 CEST	443	49716	104.21.30.221	192.168.2.5
Oct 14, 2024 05:02:03.556142092 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:03.556181908 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:03.556262970 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:03.556693077 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:03.556709051 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:04.044404984 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:04.044625044 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:04.048482895 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:04.048490047 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:04.048882961 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:04.057976007 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:04.058026075 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:04.058104038 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:04.502754927 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:04.503005981 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:04.503195047 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:04.554728031 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:04.554728031 CEST	49718	443	192.168.2.5	172.67.141.136
Oct 14, 2024 05:02:04.554763079 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:04.554776907 CEST	443	49718	172.67.141.136	192.168.2.5
Oct 14, 2024 05:02:04.641484976 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:02:04.641546011 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 14, 2024 05:02:04.641753912 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:02:04.651928902 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:02:04.651959896 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 14, 2024 05:02:05.139745951 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 14, 2024 05:02:05.139955044 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:02:05.141448975 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:02:05.141459942 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 14, 2024 05:02:05.141932964 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 14, 2024 05:02:05.143066883 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:02:05.143095016 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:02:05.143151045 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 14, 2024 05:02:05.564610004 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 14, 2024 05:02:05.564867020 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 14, 2024 05:02:05.564938068 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:02:05.568288088 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 14, 2024 05:02:05.568310022 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 14, 2024 05:02:05.608645916 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:05.608745098 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:05.608839035 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:05.609205961 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:05.609246016 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:06.325192928 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:06.325319052 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:06.327032089 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:06.327053070 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:06.327497959 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:06.329312086 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:06.375405073 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:06.889266014 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:06.889372110 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:06.889421940 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:06.889448881 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:06.889519930 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:06.889565945 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:06.889565945 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:06.889595032 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:07.020740986 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:07.020773888 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:07.021115065 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:07.021179914 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:07.021255016 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:07.027461052 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:07.027548075 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:07.027611017 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:07.027641058 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:07.027678013 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:07.027709961 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:07.027750969 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:07.027795076 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:07.027829885 CEST	49720	443	192.168.2.5	104.102.49.254
Oct 14, 2024 05:02:07.027864933 CEST	443	49720	104.102.49.254	192.168.2.5
Oct 14, 2024 05:02:07.100016117 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.100049019 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.100318909 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.100472927 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.100482941 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.591655016 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.591794968 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.593843937 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.593852997 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.594259977 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.595407963 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.595424891 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.595484018 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.749320030 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.749520063 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.749622107 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.749631882 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.750199080 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.750256062 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.750260115 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.750389099 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.750444889 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.750492096 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.750504017 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.750514984 CEST	49721	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.750519991 CEST	443	49721	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.863090992 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.863120079 CEST	443	49722	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:07.863189936 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.866899014 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:07.866909981 CEST	443	49722	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:08.337898970 CEST	443	49722	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:08.337971926 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:08.341368914 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:08.341378927 CEST	443	49722	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:08.341705084 CEST	443	49722	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:08.343110085 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:08.343110085 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:08.343185902 CEST	443	49722	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:09.109148979 CEST	443	49722	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:09.109407902 CEST	443	49722	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:09.109498024 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:09.109534979 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:09.109534979 CEST	49722	443	192.168.2.5	172.67.206.204
Oct 14, 2024 05:02:09.109555006 CEST	443	49722	172.67.206.204	192.168.2.5
Oct 14, 2024 05:02:09.109564066 CEST	443	49722	172.67.206.204	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 05:01:58.047858953 CEST	62342	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:01:58.056097984 CEST	53	62342	1.1.1.1	192.168.2.5
Oct 14, 2024 05:01:58.074676037 CEST	63308	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:01:58.086549044 CEST	53	63308	1.1.1.1	192.168.2.5
Oct 14, 2024 05:01:59.512216091 CEST	65375	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:01:59.520849943 CEST	53	65375	1.1.1.1	192.168.2.5
Oct 14, 2024 05:01:59.522774935 CEST	51533	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:01:59.540361881 CEST	53	51533	1.1.1.1	192.168.2.5
Oct 14, 2024 05:02:00.464540005 CEST	53169	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:02:00.478507042 CEST	53	53169	1.1.1.1	192.168.2.5
Oct 14, 2024 05:02:01.540713072 CEST	61370	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:02:01.553680897 CEST	53	61370	1.1.1.1	192.168.2.5
Oct 14, 2024 05:02:02.607429028 CEST	51801	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:02:02.619087934 CEST	53	51801	1.1.1.1	192.168.2.5
Oct 14, 2024 05:02:03.541002035 CEST	64637	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:02:03.555263042 CEST	53	64637	1.1.1.1	192.168.2.5
Oct 14, 2024 05:02:04.611627102 CEST	51276	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:02:04.629749060 CEST	53	51276	1.1.1.1	192.168.2.5
Oct 14, 2024 05:02:05.600227118 CEST	58044	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:02:05.607644081 CEST	53	58044	1.1.1.1	192.168.2.5
Oct 14, 2024 05:02:07.065016031 CEST	56006	53	192.168.2.5	1.1.1.1
Oct 14, 2024 05:02:07.099088907 CEST	53	56006	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 05:01:58.047858953 CEST	192.168.2.5	1.1.1.1	0x7863	Standard query (0)	bleedminejw.buzz	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:58.074676037 CEST	192.168.2.5	1.1.1.1	0x91fd	Standard query (0)	mathcucom.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:59.512216091 CEST	192.168.2.5	1.1.1.1	0x2aab	Standard query (0)	allocatinow.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:59.522774935 CEST	192.168.2.5	1.1.1.1	0x11b5	Standard query (0)	enlargkiw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:00.464540005 CEST	192.168.2.5	1.1.1.1	0x2133	Standard query (0)	resinedyw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:01.540713072 CEST	192.168.2.5	1.1.1.1	0xea7b	Standard query (0)	vennurviot.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:02.607429028 CEST	192.168.2.5	1.1.1.1	0x9bea	Standard query (0)	ehticsprocw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:03.541002035 CEST	192.168.2.5	1.1.1.1	0x8296	Standard query (0)	condifendteu.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:04.611627102 CEST	192.168.2.5	1.1.1.1	0xa1a0	Standard query (0)	drawwyobstacw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:05.600227118 CEST	192.168.2.5	1.1.1.1	0xec25	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:07.065016031 CEST	192.168.2.5	1.1.1.1	0x648b	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 05:01:58.056097984 CEST	1.1.1.1	192.168.2.5	0x7863	Name error (3)	bleedminejw.buzz	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:58.086549044 CEST	1.1.1.1	192.168.2.5	0x91fd	No error (0)	mathcucom.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:58.086549044 CEST	1.1.1.1	192.168.2.5	0x91fd	No error (0)	mathcucom.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:59.520849943 CEST	1.1.1.1	192.168.2.5	0x2aab	Name error (3)	allocatinow.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:59.540361881 CEST	1.1.1.1	192.168.2.5	0x11b5	No error (0)	enlargkiw.sbs		172.67.152.13	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:59.540361881 CEST	1.1.1.1	192.168.2.5	0x11b5	No error (0)	enlargkiw.sbs		104.21.33.249	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:00.478507042 CEST	1.1.1.1	192.168.2.5	0x2133	No error (0)	resinedyw.sbs		104.21.77.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:00.478507042 CEST	1.1.1.1	192.168.2.5	0x2133	No error (0)	resinedyw.sbs		172.67.205.156	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:01.553680897 CEST	1.1.1.1	192.168.2.5	0xea7b	No error (0)	vennurviot.sbs		172.67.140.193	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:01.553680897 CEST	1.1.1.1	192.168.2.5	0xea7b	No error (0)	vennurviot.sbs		104.21.46.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:02.619087934 CEST	1.1.1.1	192.168.2.5	0x9bea	No error (0)	ehticsprocw.sbs		104.21.30.221	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:02.619087934 CEST	1.1.1.1	192.168.2.5	0x9bea	No error (0)	ehticsprocw.sbs		172.67.173.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:03.555263042 CEST	1.1.1.1	192.168.2.5	0x8296	No error (0)	condifendteu.sbs		172.67.141.136	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:03.555263042 CEST	1.1.1.1	192.168.2.5	0x8296	No error (0)	condifendteu.sbs		104.21.79.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:04.629749060 CEST	1.1.1.1	192.168.2.5	0xa1a0	No error (0)	drawwyobstacw.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:04.629749060 CEST	1.1.1.1	192.168.2.5	0xa1a0	No error (0)	drawwyobstacw.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:05.607644081 CEST	1.1.1.1	192.168.2.5	0xec25	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:07.099088907 CEST	1.1.1.1	192.168.2.5	0x648b	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:02:07.099088907 CEST	1.1.1.1	192.168.2.5	0x648b	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mathcucom.sbs

enlargkiw.sbs

resinedyw.sbs

vennurviot.sbs

ehticsprocw.sbs

condifendteu.sbs

drawwyobstacw.sbs

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	188.114.97.3	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:59 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mathcucom.sbs
2024-10-14 03:01:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:59 UTC	819	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nomd1qrp0jjefsuiq0nk9joqv1; expires=Thu, 06 Feb 2025 20:48:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J6yTJQ4JWuXPfI69gbC2L%2FY70y1zmE8ksUCV988ztq%2FbwTXl3bB%2FguPGljyXhJW9Gv9HhdC6ziT7A8yxRQTh5I7MsY4kk5Vncc61XHvZ5EP18PSW6%2FchSJT24%2Fdrf4Ya"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2453f4ae0b32dc-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:59 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	172.67.152.13	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:02:00 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: enlargkiw.sbs
2024-10-14 03:02:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:02:00 UTC	815	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:02:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=71mb4e7p39l503iugd842udi3l; expires=Thu, 06 Feb 2025 20:48:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=74kxpk27cvDDvFWXoRmUagm%2FfwKWXZhUOe4vj2SnT9n144hIL4y26xOaNcopl6ivL6%2F9sS6Bxitr8gvYW4EXXGjophVr%2BVFlR7AW3ubkxZCwC0Wn5eVV7BzBsdPp5ufI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2453fa9bae43a4-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:02:00 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:02:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49710	104.21.77.78	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:02:00 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: resinedyw.sbs
2024-10-14 03:02:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:02:01 UTC	813	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:02:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ptfceigjke0reu3bnkh513qjj2; expires=Thu, 06 Feb 2025 20:48:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jIz6D4PRju5Wssp1l1ouDPtmzk3Qn9bdpzMOz4Q6wf2vCaCrJZZSawpsWL3vV4KD%2F0WWAum6QjpEKEZh1kq6I6iLrELQ9xkWRozF0%2FREDLTaTar6PHSd1HyRes01fG14"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2454008b917d00-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:02:01 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:02:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49713	172.67.140.193	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:02:02 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vennurviot.sbs
2024-10-14 03:02:02 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:02:02 UTC	827	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:02:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=iooo0n8e4bqs8eg4udd8lm4unh; expires=Thu, 06 Feb 2025 20:48:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qjI6bgUT4BiNHWXFxr7U7xtw9%2FqMHuuWjOMQdoJZhyCP5jUNP%2BH2oP9DHAdyC5op2ihkgSHCgfxCHNPEHtP975aqblUh5mUOEs6t%2FECgcZl%2FLrbpcnqTfjpNKqYEKvWE%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d245407ea57c431-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:02:02 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:02:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49716	104.21.30.221	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:02:03 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ehticsprocw.sbs
2024-10-14 03:02:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:02:03 UTC	821	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:02:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lce9vfd56f4astbkbaskvsf85n; expires=Thu, 06 Feb 2025 20:48:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tlV16wX%2B8cW88oAhPts%2FgVZ3Eifipmv2iFa41Ob9Mn1YatpOZ4VxaJghdlb7oMBdqVrtvlFm8POBPTcbefS0fTdgZiAqR%2BUxNhAlZym8l2XMowWZHYlW2pLkAmnqGfhM3y4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24540ddbbe4288-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:02:03 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:02:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49718	172.67.141.136	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:02:04 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: condifendteu.sbs
2024-10-14 03:02:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:02:04 UTC	815	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:02:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1j9nk9annlec7s38h28kus12fq; expires=Thu, 06 Feb 2025 20:48:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kuGE780d6Ii6AvOHEKfHm0hjJe46%2FYkjpHGSm3HDVjjn0ifw9SL0RYtS7d7up5jVtkw3JGak0xbNetzDcEOhcxiUH2L9VPAjVSaed7737GSNAbMq5dzZSXp0CqG1A36iKteJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d245413cecd7c8d-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:02:04 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:02:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49719	188.114.97.3	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:02:05 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawwyobstacw.sbs
2024-10-14 03:02:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:02:05 UTC	825	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:02:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cario1ebsap7ss76fg8f8gc8ko; expires=Thu, 06 Feb 2025 20:48:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RxBTl%2Fk832Fw2v1NyJ3JirqUAuMsFIGr9yhFwx5dO0SUueIpLBqyMH8Xhnk2nUyKcuDzjwVbQyRFkBr48zMY1Hv0Z9AFDtKLlFYzt1clT7RwNvPGsMuH%2BjUyaIQaw4hlpklXOA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24541a8e4dc343-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:02:05 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:02:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49720	104.102.49.254	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:02:06 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-14 03:02:06 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 14 Oct 2024 03:02:06 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=b7cb8c6e88b4056fce0b5c76; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-14 03:02:06 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-14 03:02:07 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-14 03:02:07 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-14 03:02:07 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49721	172.67.206.204	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:02:07 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-14 03:02:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:02:07 UTC	553	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:02:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7GwxZza5SbEwYRQFzNq0l0dPIve0bl5MAYKm5tPJOkKOCZ1EyirJVYonPJGffv%2FyvM4UIp%2FEyAdSNyCKU0O4rH1rMSqb%2BFFZGzkGiH3rnPgzEQUAIWjMpkRWnSHq7wf7016jIQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24542a0c664386-EWR
2024-10-14 03:02:07 UTC	816	IN	Data Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-10-14 03:02:07 UTC	1369	IN	Data Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f Data Ascii: s/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('co
2024-10-14 03:02:07 UTC	1369	IN	Data Raw: 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 Data Ascii: ement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <inp
2024-10-14 03:02:07 UTC	887	IN	Data Raw: 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 Data Ascii: <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="bra
2024-10-14 03:02:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49722	172.67.206.204	443	1708	C:\Users\user\Desktop\SoftWare(2).exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:02:08 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=qEuMSc6rnoOw07.3fcU.Qak4OfZwqK1G3ybpwIQV99M-1728874927-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: sergei-esenin.com
2024-10-14 03:02:08 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 75 6f 61 79 77 7a 79 72 6c 73 6f 63 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--uoaywzyrlsoc&j=
2024-10-14 03:02:09 UTC	833	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:02:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2r6ndd3j4gklvm742lje3183t1; expires=Thu, 06 Feb 2025 20:48:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EFrXSdW%2B1W7Fa891dnRI4KJxO5h7%2FO0rkVyaFJaCgL2%2B9BTn2A%2BghE9itIvYfhlvCCRcvjAhbe1wVdMaoAqH5icRCKgutxmJzOxKGpiFxPfxb10Z%2FzNo%2BTlRBmOzPMe2E7C1LQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24542e88a180d6-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:02:09 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:02:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	23:01:55
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SoftWare(2).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare(2).exe"
Imagebase:	0x770000
File size:	526'376 bytes
MD5 hash:	7B0D68253D0EE4679EC73A41CA863991
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:01:57
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SoftWare(2).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare(2).exe"
Imagebase:	0x770000
File size:	526'376 bytes
MD5 hash:	7B0D68253D0EE4679EC73A41CA863991
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:01:57
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 308
Imagebase:	0x590000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:02:08
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1656
Imagebase:	0x590000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:02:16
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1712
Imagebase:	0x590000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	71.1%
Signature Coverage:	16.3%
Total number of Nodes:	190
Total number of Limit Nodes:	18

Executed Functions

Function 00771FEA Relevance: 7.7, APIs: 5, Instructions: 153
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(007ECD40,000004E4,00000040,?), ref: 00772101
GetCurrentThreadId.KERNEL32 ref: 00772138
GetConsoleWindow.KERNEL32(00000001), ref: 00772167
ShowWindow.USER32(00000000), ref: 0077216E
std::_Throw_Cpp_error.LIBCPMT ref: 0077218D

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Window$ConsoleCpp_errorCurrentProtectShowThreadThrow_Virtualstd::_
String ID:
API String ID: 1484634515-0
Opcode ID: 6723c71da2918eae0276d08fcb2a422e22043021f1023b9189cb0c94b7b3e501
Instruction ID: 0753138a25edfdbd2616b157a3db03b18d09aa97562980bc6833a8b737a951d0
Opcode Fuzzy Hash: 6723c71da2918eae0276d08fcb2a422e22043021f1023b9189cb0c94b7b3e501
Instruction Fuzzy Hash: 9541E23290021AABDF1466758C46BAFBA59FB447D0F80C122F72E971D2E73C4643C3A5

Function 00782B19 Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f315124e78acaaec8f0725f6a2ca64dc6fe148e7525d3274ebf843a36424ae
Instruction ID: bd197cd5091a1a4ddd44e8a0943b54fbaa7d86414675d6155596c7132df013e3
Opcode Fuzzy Hash: 30f315124e78acaaec8f0725f6a2ca64dc6fe148e7525d3274ebf843a36424ae
Instruction Fuzzy Hash: 18F0A071652264EBCB16DB4CC445A8CB3ACEB09B51F114096E005EB191D2B8DD01C7C0

Function 00781C2F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,AB595993,?,00781D3C,?,?,?,00000000), ref: 00781CF0

Strings

api-ms-, xrefs: 00781C86
ext-ms-, xrefs: 00781C9A

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 9a8413be067bde4e919a80d3ff232ec992d6902b577582a7a62b9e5b2c2fce5a
Instruction ID: 423e30b295b8f6df1262515f8bac793550a83ffb948bdf69f722cf2bbd8fdd98
Opcode Fuzzy Hash: 9a8413be067bde4e919a80d3ff232ec992d6902b577582a7a62b9e5b2c2fce5a
Instruction Fuzzy Hash: 25210271AC1251ABCB21AB25AC55EAA376C9B01760B610621E915A7290D639ED03C7E0

Function 00779EBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00009D5F,00000000,00000000,?), ref: 00779F04
GetLastError.KERNEL32(?,00772129,00000000,00000000,00772C5B,00000000,00000000), ref: 00779F10
__dosmaperr.LIBCMT ref: 00779F17

Strings

[,w, xrefs: 00779F2C

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID: [,w
API String ID: 2744730728-1761122162
Opcode ID: 5555cf1f20e01d008f309402f0a7db5eaec256ea81b310e5439b5ae5f7828622
Instruction ID: 98ebc71b370d1a72eb5f37c3166f87aea42deac091bd485c5aeb761ff39b33d5
Opcode Fuzzy Hash: 5555cf1f20e01d008f309402f0a7db5eaec256ea81b310e5439b5ae5f7828622
Instruction Fuzzy Hash: 8701B172512209EFDF159FA0DC0AAEE7B64EF043A0F10C159FA0996150DB79CD90DB90

Function 00779D5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00799F68,0000000C), ref: 00779D72
ExitThread.KERNEL32 ref: 00779D79

Strings

4=w, xrefs: 00779DAF

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread
String ID: 4=w
API String ID: 1611280651-2024421503
Opcode ID: cb020750e7f13e0bba8fd833236084783aa8cb87a5bc7f06aaa52b207dd35851
Instruction ID: 3cb513c8d8fbbfb7058e820fcc5863f8068d3839892b9cca5158ec887d00134f
Opcode Fuzzy Hash: cb020750e7f13e0bba8fd833236084783aa8cb87a5bc7f06aaa52b207dd35851
Instruction Fuzzy Hash: D9F08C70A41609EFDF10ABB4C80EA6E3B64EF00341F10814AF10997292CB3D5952CBA1

Function 00781CFA Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8398fe8cff2acfa0aae6f73e9c1c7616526bf8062d43e0d5ccb022a9a433492
Instruction ID: 02e90173b0115298c8e339e1c4371226cae3d75469dce119630428c2c7640b03
Opcode Fuzzy Hash: c8398fe8cff2acfa0aae6f73e9c1c7616526bf8062d43e0d5ccb022a9a433492
Instruction Fuzzy Hash: 9E0128373806159F9F15AE6DEC40B5B339EEB857703A48621F910CB1A8EB39D81387A0

Non-executed Functions

Function 007C2780 Relevance: 53.4, Strings: 42, Instructions: 896
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8U#k, xrefs: 007C3267
|}, xrefs: 007C35B4
aQgW, xrefs: 007C3555
W!Q', xrefs: 007C31E5
TeN{, xrefs: 007C328F
=A*G, xrefs: 007C3235
*mDs, xrefs: 007C3598
A9L?, xrefs: 007C31F9
:a<g, xrefs: 007C3285
1qLw, xrefs: 007C359F
eU>[, xrefs: 007C355F
Te[k, xrefs: 007C3587
z5R7, xrefs: 007C3ACE
8M'C, xrefs: 007C322B
Ym%c, xrefs: 007C327B
g1C7, xrefs: 007C320D
XiZo, xrefs: 007C3591
q-G#, xrefs: 007C31DB
Y-F3, xrefs: 007C34FB
IK, xrefs: 007C3809
I!J', xrefs: 007C34DD
xIzO, xrefs: 007C3541
M}Cs, xrefs: 007C32A3
R5=K, xrefs: 007C3217
5Q!W, xrefs: 007C325D
E%A;, xrefs: 007C31EF
mn, xrefs: 007C3A34
d]Zc, xrefs: 007C3573
NuA{, xrefs: 007C35A6
mn, xrefs: 007C37BE, 007C2DCE
}MeS, xrefs: 007C354B
t)}/, xrefs: 007C34F1
A%]+, xrefs: 007C34E7
!aVg, xrefs: 007C357D
G5U;, xrefs: 007C350F
_i%o, xrefs: 007C3271
%].S, xrefs: 007C3253
\1E7, xrefs: 007C3505
v9u;, xrefs: 007C3AC4
+Y$_, xrefs: 007C3249
}=p?, xrefs: 007C3ABA
4CA, xrefs: 007C366A

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: !aVg$%].S$*mDs$+Y$_$1qLw$4CA$5Q!W$8M'C$8U#k$:a<g$=A*G$A%]+$A9L?$E%A;$G5U;$I!J'$M}Cs$NuA{$R5=K$TeN{$Te[k$W!Q'$XiZo$Y-F3$Ym%c$\1E7$_i%o$aQgW$d]Zc$eU>[$g1C7$mn$mn$q-G#$t)}/$v9u;$xIzO$z5R7$|}$}=p?$}MeS$IK
API String ID: 0-3572323085
Opcode ID: 7d81084698c170811676c98afcd9921b290fd814a69b823ccf916b24db75b500
Instruction ID: 8229c769cb27adce9f2f197ad7eacbb3cd30e760e9d90af7d632ce119706a0d9
Opcode Fuzzy Hash: 7d81084698c170811676c98afcd9921b290fd814a69b823ccf916b24db75b500
Instruction Fuzzy Hash: 52A253B0915368CFDB28CF15D881789BB72FB45304F1586E8C8996F75ADB748A86CF80

Function 007D30BF Relevance: 37.8, Strings: 30, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

j, xrefs: 007D3109
L, xrefs: 007D3179
{, xrefs: 007D3121
K, xrefs: 007D3189
lXKL, xrefs: 007D3385
m, xrefs: 007D30E1
O, xrefs: 007D3169
x, xrefs: 007D3397
X, xrefs: 007D3199
l, xrefs: 007D31A9
o, xrefs: 007D31A1
o, xrefs: 007D30F9
2, xrefs: 007D3161
^, xrefs: 007D30D1
s, xrefs: 007D3139
X, xrefs: 007D3191
C, xrefs: 007D3171
z, xrefs: 007D3111
J, xrefs: 007D3181
G, xrefs: 007D3131
/, xrefs: 007D31B1
{, xrefs: 007D3393
z, xrefs: 007D3119
g, xrefs: 007D3101
H, xrefs: 007D3159
], xrefs: 007D30D9
Q, xrefs: 007D30F1
E, xrefs: 007D3151
z, xrefs: 007D338F
z, xrefs: 007D3149

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: /$2$C$E$G$H$J$K$L$O$Q$X$X$]$^$g$j$l$lXKL$m$o$o$s$x$z$z$z$z${${
API String ID: 0-233160081
Opcode ID: 908cd8c619765ef05751910233e6dd7095f4857afd7dd9ab908cca53df4eac93
Instruction ID: f15830c1c0b4ad13a24c68ff24d9aef448798a57ef9a5ce235eedcae93c71279
Opcode Fuzzy Hash: 908cd8c619765ef05751910233e6dd7095f4857afd7dd9ab908cca53df4eac93
Instruction Fuzzy Hash: 3DD1CE216087D18ADB26CF3C888435A7FA15B67324F1D83D9D8E94F3D7C269C946C3A6

Function 007B9840 Relevance: 24.0, Strings: 18, Instructions: 1457COMMON

Download Yara Rule

Strings

wr, xrefs: 007BA688
<=>?, xrefs: 007B9C2C
p, xrefs: 007BA680
Vm, xrefs: 007BA788
LM, xrefs: 007BA553
<, xrefs: 007BA3FA
U[NM, xrefs: 007B9A76
cjXH, xrefs: 007BA023
}, xrefs: 007BA690
,, xrefs: 007B9977
ursp, xrefs: 007B9A81
==, xrefs: 007BA56C
ZjXH, xrefs: 007B9FF4
anol, xrefs: 007B9A60
DEFG, xrefs: 007B9C76
$, xrefs: 007B9BB5
@ABC, xrefs: 007B9C81
x:~G, xrefs: 007B9D68

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: p$$$,$<$<=>?$@ABC$DEFG$LM$U[NM$Vm$ZjXH$anol$cjXH$ursp$wr$x:~G$}$==
API String ID: 0-2133154573
Opcode ID: 775dc3a3cd4c97fa0d835cb7c34e0b2a31564ca017fb35a21f984a5ec765dec7
Instruction ID: d335fbfd49406ead6fd70d8c319c2f8de0ff123a67d2fd0f18bf5501ea224a38
Opcode Fuzzy Hash: 775dc3a3cd4c97fa0d835cb7c34e0b2a31564ca017fb35a21f984a5ec765dec7
Instruction Fuzzy Hash: A1B2D1716083819BD724DF28C8917EBBBE2EFD6304F18892DE5D98B291DB789405CB53

Function 007D3AD0 Relevance: 19.1, Strings: 15, Instructions: 371COMMON

Download Yara Rule

Strings

1, xrefs: 007D3AEE
T, xrefs: 007D3D34
F, xrefs: 007D3D2F
Q, xrefs: 007D3D25
e, xrefs: 007D3CDC
8, xrefs: 007D3DC9
T, xrefs: 007D3CD2
i, xrefs: 007D3E89
%, xrefs: 007D3E7F
., xrefs: 007D3DD3
(, xrefs: 007D3DCE
Q, xrefs: 007D3CD7
R, xrefs: 007D3D2A
1, xrefs: 007D3BE1
b, xrefs: 007D3CCD

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: %$($.$1$1$8$F$Q$Q$R$T$T$b$e$i
API String ID: 0-2122394841
Opcode ID: 8a5d91af19b7b37009166674fd63a2f973c87aed2b69303df523dafd2ac621c9
Instruction ID: 1492f28524c68dce2a1d3a6e9994689490ad50a19758806b703c5d11f85df8ab
Opcode Fuzzy Hash: 8a5d91af19b7b37009166674fd63a2f973c87aed2b69303df523dafd2ac621c9
Instruction Fuzzy Hash: 93D16973A0C3D046C719853C8C8535BAEE24BE6228F2E4A6EE5E5C73C3D5ADC9058363

Function 007D4290 Relevance: 11.5, Strings: 9, Instructions: 217COMMON

Download Yara Rule

Strings

z, xrefs: 007D44B7
z, xrefs: 007D43A0
x, xrefs: 007D42AE
x, xrefs: 007D43AA
{, xrefs: 007D44BC
{, xrefs: 007D43A5
x, xrefs: 007D44C1
{, xrefs: 007D42A9
z, xrefs: 007D42A4

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: x$x$x$z$z$z${${${
API String ID: 0-939428423
Opcode ID: ea3db58535a46d0c26939d1608f90aead47ceb6b213927aa12502e45fca82fb7
Instruction ID: b391c154de835b39cb14edf32eb685a69658286400fb6ff854e35f34bd590bc5
Opcode Fuzzy Hash: ea3db58535a46d0c26939d1608f90aead47ceb6b213927aa12502e45fca82fb7
Instruction Fuzzy Hash: B481FF7060C3808BE7149B18C45072FBBF1AB92358F19892EE5C697392C77EC889C717

Function 0078AA80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,?,00779D84,00799F68,0000000C), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000), ref: 007828D4

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0078AB8C
IsValidCodePage.KERNEL32(00000000), ref: 0078ABD5
IsValidLocale.KERNEL32(?,00000001), ref: 0078ABE4
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0078AC2C
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0078AC4B

Strings

L]y, xrefs: 0078AAE5

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: L]y
API String ID: 415426439-2685224759
Opcode ID: c96d6109c00103019bf862d505664115e9c2b512746a01b7134d8c280cd590a3
Instruction ID: e574b55578ef2335807c27eb35cfaf59133b179ada0115787bc92cff314114ed
Opcode Fuzzy Hash: c96d6109c00103019bf862d505664115e9c2b512746a01b7134d8c280cd590a3
Instruction Fuzzy Hash: 9851A2B1A80209BFEF11EFA9CC45EAE77B9AF04700F04446BA505E7191E7789941CB62

Function 007A9870 Relevance: 10.4, Strings: 8, Instructions: 385COMMON

Download Yara Rule

Strings

fonq, xrefs: 007A99BA
x>, xrefs: 007A9C7C
`a, xrefs: 007A9A0A
vLyB, xrefs: 007A9BB3
b, xrefs: 007A9C65
B/, xrefs: 007A9C5E
JpzN, xrefs: 007A9BCB
x, xrefs: 007A988E

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: B/$JpzN$`a$b$fonq$vLyB$x$x>
API String ID: 0-3121179879
Opcode ID: 0839a0a365fbfae109be376204226be303479133b47b25a3baa2af3ec454ade2
Instruction ID: 99ce132c0418ab3b48795ebc517f75656d059eb9fb7410a41fc3eec14923ad55
Opcode Fuzzy Hash: 0839a0a365fbfae109be376204226be303479133b47b25a3baa2af3ec454ade2
Instruction Fuzzy Hash: C9C111B124C3908BD314CF2494A036FBBE1ABD2714F18CA6CE5D55B391D7398D1ACBA2

Function 007A84A0 Relevance: 10.4, Strings: 8, Instructions: 358COMMON

Download Yara Rule

Strings

4, xrefs: 007A850D
opur, xrefs: 007A865E
sm, xrefs: 007A87AC
.~d2, xrefs: 007A867B
xu, xrefs: 007A879C
6<>2, xrefs: 007A8713
@e, xrefs: 007A8794
B~d2, xrefs: 007A86AF

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: .~d2$4$6<>2$@e$B~d2$opur$sm$xu
API String ID: 0-2178514450
Opcode ID: dbec77187a7d96c4dc3f4d791cc9ad6e38d7bd257b29fcec93e52e14597bde06
Instruction ID: b8379bb5dd1ecb32940dbdbdf5770762a97c628b1f0ba128ff681a998cbf4e64
Opcode Fuzzy Hash: dbec77187a7d96c4dc3f4d791cc9ad6e38d7bd257b29fcec93e52e14597bde06
Instruction Fuzzy Hash: 9AC1AFB5A083908BD324CF25C84475BBBE2EBD6314F188A6DE4D85B391DB798905CB87

Function 007AC2A8 Relevance: 10.3, Strings: 8, Instructions: 279COMMON

Download Yara Rule

Strings

SQ, xrefs: 007AC4DA
[Y, xrefs: 007AC4CC
{BCr, xrefs: 007AC324
/=-, xrefs: 007AC4E1
~DKB, xrefs: 007AC316
:+*), xrefs: 007AC4E8
WU, xrefs: 007AC4D3
vxsB, xrefs: 007AC31D

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: :+*)$vxsB${BCr$~DKB$/=-$SQ$WU$[Y
API String ID: 0-3665677190
Opcode ID: 787f2bf862c008f9b0892876fe1a9a5b58591d2be0b5263b8d2fe869734e621a
Instruction ID: df67cef3c1e7c0a8243685512401d20e1275c01a535328487ad73178a95d1dba
Opcode Fuzzy Hash: 787f2bf862c008f9b0892876fe1a9a5b58591d2be0b5263b8d2fe869734e621a
Instruction Fuzzy Hash: E291DCB51047808FD3268F2AC0A1B66BFE1EF96300F299A9CD0C64F762D739E406CB55

Function 007AC5D5 Relevance: 10.3, Strings: 8, Instructions: 252COMMON

Download Yara Rule

Strings

{BCr, xrefs: 007AC633
vxsB, xrefs: 007AC62C
/=-, xrefs: 007AC7E1
SQ, xrefs: 007AC7DA
~DKB, xrefs: 007AC625
:+*), xrefs: 007AC7E8
WU, xrefs: 007AC7D3
[Y, xrefs: 007AC7CC

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: :+*)$vxsB${BCr$~DKB$/=-$SQ$WU$[Y
API String ID: 0-3665677190
Opcode ID: e1e7b101d4702a6b0058dd4819b8df915b64fcd6af3fa6f9b27231966e35f251
Instruction ID: 502f1d7fd2cf7e738279c1e2844bfe0161388f8fea2c6f4ed4cb8b4232b870af
Opcode Fuzzy Hash: e1e7b101d4702a6b0058dd4819b8df915b64fcd6af3fa6f9b27231966e35f251
Instruction Fuzzy Hash: E381BAB41057808FD326CF2AC5A1B62BFE1EF92310B199A9CD0D64FB66D739E406CB54

Function 0078B551 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0078B735

Strings

1#INF, xrefs: 0078B687
1#IND, xrefs: 0078B656
1#SNAN, xrefs: 0078B65D
1#QNAN, xrefs: 0078B664

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c83581f9ded2dd8b488aaf4fc9a46d6bf52c4aa878ab128743c5ebdc22c8e70f
Instruction ID: 4065f27f4714a124a2a68f70c4368d382c307c92cbed0212b99b6b34275b4e95
Opcode Fuzzy Hash: c83581f9ded2dd8b488aaf4fc9a46d6bf52c4aa878ab128743c5ebdc22c8e70f
Instruction Fuzzy Hash: 73D23871E482288FDF65DE28DD447EAB7B9EB48304F1445EAD40DE7240EB38AE858F51

Function 0078A11C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,?,00779D84,00799F68,0000000C), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000), ref: 007828D4

GetACP.KERNEL32(?,?,?,?,?,?,0077FDE0,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0078A1DD
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0077FDE0,?,?,?,00000055,?,-00000050,?,?), ref: 0078A208
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0078A36B

Strings

utf8, xrefs: 0078A2DA
L]y, xrefs: 0078A15E

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: L]y$utf8
API String ID: 607553120-1438822892
Opcode ID: 33e90cf3a4fc229a089d312376dbdb12f9cfa79f5764b93363f2fecb5e6422e2
Instruction ID: 4d6301718df969c4320c357c27071f753632c2da45d7708dad6cbfff18bb0ca0
Opcode Fuzzy Hash: 33e90cf3a4fc229a089d312376dbdb12f9cfa79f5764b93363f2fecb5e6422e2
Instruction Fuzzy Hash: 9371D571A80206FBEB25BB75DC4ABA673A8EF44710F14402BE605D7181FB7CE941C7A2

Function 0078A8AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0078ABC9,00000002,00000000,?,?,?,0078ABC9,?,00000000), ref: 0078A944
GetLocaleInfoW.KERNEL32(?,20001004,0078ABC9,00000002,00000000,?,?,?,0078ABC9,?,00000000), ref: 0078A96D
GetACP.KERNEL32(?,?,0078ABC9,?,00000000), ref: 0078A982

Strings

ACP, xrefs: 0078A8C9
OCP, xrefs: 0078A8FF

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 082358dbb7a97bbcd9687de8a958f66cf9f796031367e094d0f6d6822a94e35e
Instruction ID: 39f6cb47417a243fcd9d58ac0f62c50e9b27a5535d2ade89534d550d90999a5f
Opcode Fuzzy Hash: 082358dbb7a97bbcd9687de8a958f66cf9f796031367e094d0f6d6822a94e35e
Instruction Fuzzy Hash: 7B21F822684102B6FB35AF54D801AA773A7AB64B60B57C026E90AD7100F73AED81C362

Function 0079C1BF Relevance: 7.1, Strings: 5, Instructions: 849COMMON

Download Yara Rule

Strings

u, xrefs: 0079C66F
0, xrefs: 0079C837
0, xrefs: 0079D37D
0, xrefs: 0079C781
i, xrefs: 0079D7A9

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: 0$0$0$i$u
API String ID: 0-2578075383
Opcode ID: dc28e36312bae1ee21b853c1ebcaf6939eaf5b1a772555be3d98257322c8242b
Instruction ID: 900a3f1f9f121f6ede2a6b0f4004a4bbf5616fd50d3d2551f088cdca75459fca
Opcode Fuzzy Hash: dc28e36312bae1ee21b853c1ebcaf6939eaf5b1a772555be3d98257322c8242b
Instruction Fuzzy Hash: C1620471A0C3418BCB28CF28D59076ABBE1ABD5754F148A2DE8D997391E378DD05CB82

Function 0079C35A Relevance: 6.7, Strings: 5, Instructions: 423COMMON

Download Yara Rule

Strings

A, xrefs: 0079C35F
gfff, xrefs: 0079D257
-, xrefs: 0079D152
gfff, xrefs: 0079D211
gfff, xrefs: 0079D1AA

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: -$A$gfff$gfff$gfff
API String ID: 0-966635023
Opcode ID: 443818a6c78d4fddaf64389449961979b3d69d901b4ba1785f10b1d502e0c42c
Instruction ID: 69013e95f6647288c2efea21c5fa14b9a53209a37a8ede7ff0f9c77e41c629d2
Opcode Fuzzy Hash: 443818a6c78d4fddaf64389449961979b3d69d901b4ba1785f10b1d502e0c42c
Instruction Fuzzy Hash: CDF1C172A083918FCB14CE1DD49076ABBE2AFD5310F198A2DE4D98B351D378DD05DB82

Function 0079C296 Relevance: 6.6, Strings: 5, Instructions: 338COMMON

Download Yara Rule

Strings

gfff, xrefs: 0079CF22
gfff, xrefs: 0079CED5
gfff, xrefs: 0079CEC0
E, xrefs: 0079C29B
-, xrefs: 0079CE8F

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: -$E$gfff$gfff$gfff
API String ID: 0-3987530376
Opcode ID: 11040854840b78cd9990382679662be7cea7df8bb9bc09829fd02f3d034f4e88
Instruction ID: ba711cdfbca5dc46652cdefdb6fca5d1bd339b272312edcb8a0d6e7263491f3f
Opcode Fuzzy Hash: 11040854840b78cd9990382679662be7cea7df8bb9bc09829fd02f3d034f4e88
Instruction Fuzzy Hash: CED1B671A0C3518FCB15CE29D48026AFBE2AFD5314F18CA6DE4D887352D738DD058B92

Function 007BACC6 Relevance: 6.6, Strings: 5, Instructions: 333COMMON

Download Yara Rule

Strings

Q+W), xrefs: 007BAE5F
W!G#, xrefs: 007BAF20
PQ, xrefs: 007BAF0E
?, xrefs: 007BAE77
0/q-, xrefs: 007BAE57

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: ?$0/q-$PQ$Q+W)$W!G#
API String ID: 0-2702543116
Opcode ID: 95856603d8f496d47e0dd112f2fc3d0ec56e58eebcd8d7386f59b0cffb145ae0
Instruction ID: 3cd8f60d53ba11b9d649d07027d1d0afdb32e976b4adb3a6102a8131841d7869
Opcode Fuzzy Hash: 95856603d8f496d47e0dd112f2fc3d0ec56e58eebcd8d7386f59b0cffb145ae0
Instruction Fuzzy Hash: ECB1DCB140C3819FC704DF25D8956AFBBE2EBD1364F088A2CE4D95B261D778C609CB86

Function 00782D9D Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00782E2A

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 02312408630170b3c25dee6112d7f3f8a09a7014db778087c09366575c92c367
Instruction ID: 3b28c51fdfd84aaca524ef25c381723d8a4553958f59bbfa574a2a27434e2827
Opcode Fuzzy Hash: 02312408630170b3c25dee6112d7f3f8a09a7014db778087c09366575c92c367
Instruction Fuzzy Hash: 3BB13832A442559FDB15EF68C885BFEBBB5EF55310F14816AE905AB242D23C9D02CBA0

Function 00775F93 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00775F9F
IsDebuggerPresent.KERNEL32 ref: 0077606B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00776084
UnhandledExceptionFilter.KERNEL32(?), ref: 0077608E

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a66545f30332968e70502fff4aa1d5db78371bdc0b0f9aef3067eba6c49ba413
Instruction ID: 1f066b6995fafb2014b079438d0d7d1806f45c27677bd8831131e3019590cef3
Opcode Fuzzy Hash: a66545f30332968e70502fff4aa1d5db78371bdc0b0f9aef3067eba6c49ba413
Instruction Fuzzy Hash: C3312375D01219DBDF21DFA4D849BCDBBB8BF08340F0081AAE40CAB250EB759A858F45

Function 007CACE0 Relevance: 5.4, Strings: 4, Instructions: 447COMMON

Download Yara Rule

Strings

jxpr, xrefs: 007CB27C
w`t=, xrefs: 007CAD16
~y{#, xrefs: 007CB272
,"V, xrefs: 007CAD0C

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: ,"V$jxpr$w`t=$~y{#
API String ID: 0-2435074625
Opcode ID: fd8032c87dd2205076a7666ae1ae04bdf86579f3d5699c2a5137c1af17a5b181
Instruction ID: cce1780cfda64e8076cbeea5844606ae86fa08ffcae8c104878cb72e9b229467
Opcode Fuzzy Hash: fd8032c87dd2205076a7666ae1ae04bdf86579f3d5699c2a5137c1af17a5b181
Instruction Fuzzy Hash: 98D1E460504B818EE7258F35C425BB7BFE19F63305F18889DD1EB9B283D779640ACB26

Function 00771AC2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00772B18: __EH_prolog3_catch.LIBCMT ref: 00772B1F

_Deallocate.LIBCONCRT ref: 00771C9D
_Deallocate.LIBCONCRT ref: 00771CEA

Strings

Current val: %d, xrefs: 00771C76

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Deallocate$H_prolog3_catch
String ID: Current val: %d
API String ID: 1212816977-1825967858
Opcode ID: 039c05c3fba636b48b8683b418e7187368da0260861c502fa0cd2dcb72e156f6
Instruction ID: 165a54a09ac655d3958bf4875ba0dabdd66fcb289b7f59ae1f39e272a390fa26
Opcode Fuzzy Hash: 039c05c3fba636b48b8683b418e7187368da0260861c502fa0cd2dcb72e156f6
Instruction Fuzzy Hash: 8E61CFB251C3448FC720DF29D48026BFBE0AFC8754F558A2EF9D893252D739D9048B92

Function 007751AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00775151,?,00000000,00000000,?,00775110,?,?,?,?,0077504F,?), ref: 007751E7
GetSystemTimeAsFileTime.KERNEL32(?,AB595993,?,?,00790535,000000FF,?,00775151,?,00000000,00000000,?,00775110,?,?), ref: 007751EB

Strings

4=w, xrefs: 007751E1

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Precise
String ID: 4=w
API String ID: 743729956-2024421503
Opcode ID: 31a065180866a4799c8b27e06f863d6fe1ec0e0b279918de0f7ac2e94e8c3a45
Instruction ID: 1dd56cbdc7a3201a78fccb88c704aa7f9d9ac159121f0bc6d1e3e58c1576fbb4
Opcode Fuzzy Hash: 31a065180866a4799c8b27e06f863d6fe1ec0e0b279918de0f7ac2e94e8c3a45
Instruction Fuzzy Hash: 1DF0E572A44998EFCB018F48EC40B59B7A8F708B10F418227E812D7390DB7DAD01CBC4

Function 007A7ED0 Relevance: 5.2, Strings: 4, Instructions: 197COMMON

Download Yara Rule

Strings

D@22, xrefs: 007A7F8C
T, xrefs: 007A7FFC
E07, xrefs: 007A7F94
ED0>, xrefs: 007A804F

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: D@22$E07$ED0>$T
API String ID: 0-3041618281
Opcode ID: 44d51c8bf4294e26a7913fc4b43108d2e714bf98a12d11e87a13e9518742474c
Instruction ID: 2f2e994f8af2205e13a3d59541e09a8c3fe9aa7dcb233f6e45e8f6dae3fc34b2
Opcode Fuzzy Hash: 44d51c8bf4294e26a7913fc4b43108d2e714bf98a12d11e87a13e9518742474c
Instruction Fuzzy Hash: A9519F7154D3918AD3118F25C4A076BFFE0AFE3354F185A6DE5D44B242C37A8949CB63

Function 0078A52F Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,?,00779D84,00799F68,0000000C), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000), ref: 007828D4

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0078A583
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0078A5CD
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0078A693

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: f5a239df2e83aa7aadd379048d6bdf385f600aaafc2ebb243c0adf476840b794
Instruction ID: ddf4614bfc30694d8b7e7a816b56ffe77af1e3a68a5251a5538f27d533905d43
Opcode Fuzzy Hash: f5a239df2e83aa7aadd379048d6bdf385f600aaafc2ebb243c0adf476840b794
Instruction Fuzzy Hash: 6B61B271680207AFEB28AF24DD86B6A77B8EF04300F14807BE906C6185F77CD991DB51

Function 0077BE0F Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0077BF07
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0077BF11
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0077BF1E

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: bd6de8acd2d6397b62ff09103e06d304d43c7e4c627390bad670715e478ccee7
Instruction ID: 4a05f2b5a571f6d8c795acccae9f6cddde5ae02cafd4aab8bc8963d011801d61
Opcode Fuzzy Hash: bd6de8acd2d6397b62ff09103e06d304d43c7e4c627390bad670715e478ccee7
Instruction Fuzzy Hash: BE31D274901229ABCF21DF28DC8878DBBB8BF08750F5082EAE41CA7251E7749B858F44

Function 007D241A Relevance: 4.1, Strings: 3, Instructions: 389COMMON

Download Yara Rule

Strings

x, xrefs: 007D2879
z, xrefs: 007D2871
{, xrefs: 007D2875

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: x$z${
API String ID: 0-1334427886
Opcode ID: 270559b63d03618d4dda88461b8009e2e6c680d15a2a774bb43b84c844ac382d
Instruction ID: 76d8943cf4a773626d48c107fdab3db7089528de3b69f89ebc4ed5c9c1835fe1
Opcode Fuzzy Hash: 270559b63d03618d4dda88461b8009e2e6c680d15a2a774bb43b84c844ac382d
Instruction Fuzzy Hash: D5124B2050C7C18ADB26CE3C88887457FA15B67324F1D83D9D8E85F3DBC3A98946C766

Function 007C5AA1 Relevance: 3.9, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

UP, xrefs: 007C5B90
JY, xrefs: 007C5B98
EN, xrefs: 007C5BA0

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: EN$JY$UP
API String ID: 0-605324858
Opcode ID: 5a57073a86ff3522875bef983d35ea37ef38152405bd15a6a62be556ee29e64e
Instruction ID: 04bf0d1ecdf486c0154932e6d4244a6d5fc865615dc3bd5b90a17c5a8fe49c90
Opcode Fuzzy Hash: 5a57073a86ff3522875bef983d35ea37ef38152405bd15a6a62be556ee29e64e
Instruction Fuzzy Hash: 1641FFB54593948FD350CF21888460FBFE1FBE5204F488D9CE9851B266DBB98906CBC6

Function 007B8C89 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

IT, xrefs: 007B8DA1
MMM@, xrefs: 007B8D96
R\Z_, xrefs: 007B8D8B

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: IT$MMM@$R\Z_
API String ID: 0-1684802361
Opcode ID: 2ad63225988889ce272b4d12b285e52c49e07e5b08b75079a2a653711695e958
Instruction ID: 763020e2255f1c99515f36a88e13d9000464c9262f1a027a82121ebe264bf671
Opcode Fuzzy Hash: 2ad63225988889ce272b4d12b285e52c49e07e5b08b75079a2a653711695e958
Instruction Fuzzy Hash: 7B312A72A1975087D7788B18C8517AFB6D6BBD5310F098A3DD9895B396CB388C01C783

Function 007A8BF0 Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

RP=2, xrefs: 007A8C8B
DD, xrefs: 007A8D0B
nP=2, xrefs: 007A8CF4

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: DD$RP=2$nP=2
API String ID: 0-752124796
Opcode ID: bc9575446fdc8fda196b18d202c8f179bedf40d2f2a21429c4f6b012dfa44c5f
Instruction ID: a513d539705e30a3189dfba80239568bc4baaa344f03507c2942cd5b4c7f4cbd
Opcode Fuzzy Hash: bc9575446fdc8fda196b18d202c8f179bedf40d2f2a21429c4f6b012dfa44c5f
Instruction Fuzzy Hash: 9C3131756483829FD324CF25C8957AFBBE1EFD6304F044E2DE1E887240D7795A0A8B96

Function 00781F50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00780946,?,20001004,00000000,00000002,?,?,0077FF48), ref: 00781F84

Strings

4=w, xrefs: 00781F6F

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: 4=w
API String ID: 2299586839-2024421503
Opcode ID: 518b210a91f324e4955d00c4b1ecdc13cd2206dab9589090c6c260861b2df1e5
Instruction ID: 5aec91f97492c9078f9aa39f842795a4ea20c13c5d853374226cd653a19f3261
Opcode Fuzzy Hash: 518b210a91f324e4955d00c4b1ecdc13cd2206dab9589090c6c260861b2df1e5
Instruction Fuzzy Hash: 82E01A7558115DBBCB123F65DC09E9E3F1DEB44761F408412FD05652218B3A8D62ABD4

Function 0077E190 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ae356b703282245e46982a16b0c15d5e2b54d97083e81566a83ef1af4d191c
Instruction ID: 8171a4a9afd2fbdc17e4773de9d79c3ce74bf4b398211ed89be5c59ef23cf062
Opcode Fuzzy Hash: 92ae356b703282245e46982a16b0c15d5e2b54d97083e81566a83ef1af4d191c
Instruction Fuzzy Hash: EFF12E71E002199FDF14CFA8C884AADB7B1FF88354F1582A9E919EB391D734AD45CB90

Function 007CACD6 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

jxpr, xrefs: 007CB27C
~y{#, xrefs: 007CB272

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: jxpr$~y{#
API String ID: 0-1885222315
Opcode ID: e5cbcb89cb5c215d426419538d84cafe15fedb57d89f99d588f853cd076b33ac
Instruction ID: 8a7b5cdd9a22a6ef70c3ca74073e85df660d1a73dc52e7b685faa8048fb7ef47
Opcode Fuzzy Hash: e5cbcb89cb5c215d426419538d84cafe15fedb57d89f99d588f853cd076b33ac
Instruction Fuzzy Hash: 96E1E460614B868EE7258B35C451BB7FBE5AF53304F18895DD0EB8B282D778B40ACB61

Function 007C01C0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

$%&', xrefs: 007C03B8
@A, xrefs: 007C01EC

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: $%&'$@A
API String ID: 0-1283312488
Opcode ID: dc910902b8060c1abe0c29a3bf80987e2f978149df277e72ba36ac4a076cf7c7
Instruction ID: 5379fe7faf6e8318f0cfb0e49d1441c56f869fbb73ab76a9ac0bf9dc62e9057d
Opcode Fuzzy Hash: dc910902b8060c1abe0c29a3bf80987e2f978149df277e72ba36ac4a076cf7c7
Instruction Fuzzy Hash: 18B1F171608380DBDB249B24C891B6BB7E1FF92364F19892CE9C997281E338DD44C7D2

Function 007A3120 Relevance: 2.9, Strings: 2, Instructions: 388COMMON

Download Yara Rule

Strings

IEND, xrefs: 007A357D
), xrefs: 007A319D

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: ccbd78b6285f34a7ffed15b5e2421ac77b9f218dad7cc060debbb27367602f56
Instruction ID: a3806dc9a61b954cd3a73e8afc7211f913940896343cd100f263830603bca0eb
Opcode Fuzzy Hash: ccbd78b6285f34a7ffed15b5e2421ac77b9f218dad7cc060debbb27367602f56
Instruction Fuzzy Hash: 51E1C071A087419FE714CF28C84571ABBE0BBD6304F148A2DF9999B381D779E914CB82

Function 007DBD90 Relevance: 2.8, Strings: 2, Instructions: 303COMMON

Download Yara Rule

Strings

;:54, xrefs: 007DBF0A
;:54, xrefs: 007DBDBD

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: ;:54$;:54
API String ID: 0-2193779323
Opcode ID: e11c1bb4caca12a68035cea37d4e54f7ef5300c7c70a35fa345a60499fa8ec98
Instruction ID: beea106049b1802611d911739696870d3e8268b8eecfc88d8477ae30b833c194
Opcode Fuzzy Hash: e11c1bb4caca12a68035cea37d4e54f7ef5300c7c70a35fa345a60499fa8ec98
Instruction Fuzzy Hash: 4091E175608311EBD724DF64CC80BBBB7F6EB89310F54882EE68997381E7359844CB92

Function 007CA620 Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

rb`j, xrefs: 007CA797
gle=, xrefs: 007CA78D

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: gle=$rb`j
API String ID: 0-1318791034
Opcode ID: 748fabd0aba7eb80f85537ef719f7d1adde0791121d0f2e9b2e26f305d62469b
Instruction ID: 4455fd6e1291456379cbcb0873e7dae31241a4f3b148cbeebe0773fbd950e7cb
Opcode Fuzzy Hash: 748fabd0aba7eb80f85537ef719f7d1adde0791121d0f2e9b2e26f305d62469b
Instruction Fuzzy Hash: 17512AA4509B818ED7158B35C4A47F3BBE1EFA3309F1884ADC2E65B183C77D550AC716

Function 007CA430 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

rb`j, xrefs: 007CA797
gle=, xrefs: 007CA78D

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: gle=$rb`j
API String ID: 0-1318791034
Opcode ID: 1ddb76061fd0458ab39d1f76ad38820b9736bd262e06488c3de5275f40dee088
Instruction ID: 58a6e01c01b02958df7add45806f43f7c5b2babdfa5c946e3ec98661cf5131b8
Opcode Fuzzy Hash: 1ddb76061fd0458ab39d1f76ad38820b9736bd262e06488c3de5275f40dee088
Instruction Fuzzy Hash: DB4118B4105B818AD7258F35C0A0BF3FBE1EF63309F1885ADC2E65B296C77D61468B16

Function 007D8FC0 Relevance: 1.9, Strings: 1, Instructions: 610COMMON

Download Yara Rule

Strings

f, xrefs: 007D91A2

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 6cf9479f72dc52f14e68bce990952861689412abf92656bdf0f010a5ededc177
Instruction ID: 7501f87cb91e10261c3b64d23ee1aad08e8737067c57a5db09130622249a0da3
Opcode Fuzzy Hash: 6cf9479f72dc52f14e68bce990952861689412abf92656bdf0f010a5ededc177
Instruction Fuzzy Hash: 881280716083429FD714CF29C890B2BBBF6ABC5314F188A2EF5958B391D739D845CB52

Function 00786E51 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00786E4C,?,?,00000008,?,?,0078FC05,00000000), ref: 0078707E

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c2efbb29cc5b727830520faa4bbd7bd7887f5179f5df883817c905184a7518ce
Instruction ID: b18684b8a9650c59b0593938b2858c58e9d0fcd8067765c0fd42a8f76050402e
Opcode Fuzzy Hash: c2efbb29cc5b727830520faa4bbd7bd7887f5179f5df883817c905184a7518ce
Instruction Fuzzy Hash: 2CB17D31650608DFDB18DF28C48AB657BE0FF45364F258658F99ACF2A1C339E992CB40

Function 007758F5 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0077590B

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 46e3b6a8e7b830889301be5fc1342718c54380012f2177b20ed69f1a1584f5a6
Instruction ID: d56866f98077b0729b5ee00060f54a032cd1a2aa041d8d03c658181ade604d95
Opcode Fuzzy Hash: 46e3b6a8e7b830889301be5fc1342718c54380012f2177b20ed69f1a1584f5a6
Instruction Fuzzy Hash: 99A14CB19117058FDB19CF58E9916AEBBB0FB88324F54C12ED429EB2A0D3789841CF54

Function 007BC6F0 Relevance: 1.7, Strings: 1, Instructions: 479COMMON

Download Yara Rule

Strings

2$1., xrefs: 007BC79E, 007BC7A3

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: 2$1.
API String ID: 0-1588136823
Opcode ID: 4a19244ba5e7acbc059354a130d84c28abc474219620a9644689e898008a4ccd
Instruction ID: f773b4f22f8375d789e196c0a335082b0dbc0d259ee62ad6335df9fa89930be8
Opcode Fuzzy Hash: 4a19244ba5e7acbc059354a130d84c28abc474219620a9644689e898008a4ccd
Instruction Fuzzy Hash: C9E1E272608340ABE715DF24DD46BAFBBE5EBD2714F04C92DF88597281E638D8058B93

Function 0079E5C0 Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

EqD, xrefs: 0079E613

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: EqD
API String ID: 0-3464846087
Opcode ID: bf638c26f59aea35f014ecd9d44d8ede26166e9571b4726ef9e779444cb609c7
Instruction ID: 6b5192f3ae9790ca3168cb70d44f88ac4d36f7e1c803b6b90f2ae660c8b56452
Opcode Fuzzy Hash: bf638c26f59aea35f014ecd9d44d8ede26166e9571b4726ef9e779444cb609c7
Instruction Fuzzy Hash: 09D1D372A083119BCB18CF68D88066AB7E1FFC4750F158E2DF89997391E775EC048B82

Function 007C9000 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

", xrefs: 007C92E8

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 797c113de66f636ddacc161aa76fc55e39027cf0656d8861f5daaf124546a2a7
Instruction ID: e4de9cff8ae8a7f827a2a8a8a980b28f98261c045dc6c06a0aaf7918596a4636
Opcode Fuzzy Hash: 797c113de66f636ddacc161aa76fc55e39027cf0656d8861f5daaf124546a2a7
Instruction Fuzzy Hash: 04D12972A08355AFCB54CE24C488B6BB7EAAFC5310F18852DEA9987381D739DD45C7C1

Function 007C4C70 Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

P, xrefs: 007C5025

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: P
API String ID: 0-2658810469
Opcode ID: e6c6b46cb7311c0de614932ee55f8dcd091882989d8ba56639936d8a09263a79
Instruction ID: 16badc599304d71923e0c232f6243037fce81468b0b49eaf4fea595a47d8b1c6
Opcode Fuzzy Hash: e6c6b46cb7311c0de614932ee55f8dcd091882989d8ba56639936d8a09263a79
Instruction Fuzzy Hash: 28B16972A083019BDB249E28D861B7B77A2EF91314F1A8A3CE9468B3D1D73DDD05C791

Function 00787B87 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce49297ebefcac13c534c89e489c3bc54b442bb967940a9883429f92162acb00
Instruction ID: 32d5f874b01d2db0db79f7f9e127dd069e84bd368e51fc52a7c5cf34cf1a249d
Opcode Fuzzy Hash: ce49297ebefcac13c534c89e489c3bc54b442bb967940a9883429f92162acb00
Instruction Fuzzy Hash: 5F31F976944219AFCB14EFA9CCC9DBBBB6DEF84314F244559F81697140E634ED40CB60

Function 0078A782 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,?,00779D84,00799F68,0000000C), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000), ref: 007828D4

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0078A7D6

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d1a93101cf31c8cbe5159c227eec68ce990b078578ecf16cbe2138864953329e
Instruction ID: ea222f199e2241fe27bacd4657c749a19efd00ddebfd00bbe9d61d40b5f501ce
Opcode Fuzzy Hash: d1a93101cf31c8cbe5159c227eec68ce990b078578ecf16cbe2138864953329e
Instruction Fuzzy Hash: AC21B372995206ABEF19BB25DC45A7B33A8EF44310F10407BF906D7141EB78ED46C761

Function 0077B25E Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 0077B3E8

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 651c68f10849410edfbc4bf9ab5db21e8e182d81d9274179373decfd38f17f41
Instruction ID: d4dc5eb01dd8ea35a7ea74eb3977aa5c39f64323a2d94651f5986a74103e9cf5
Opcode Fuzzy Hash: 651c68f10849410edfbc4bf9ab5db21e8e182d81d9274179373decfd38f17f41
Instruction Fuzzy Hash: CEB1F07090060ADBCF24CF68C4957BEB7A1FF09384F14C61AD85ADB292DB3CA945CB51

Function 0078A409 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,?,00779D84,00799F68,0000000C), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000), ref: 007828D4

EnumSystemLocalesW.KERNEL32(0078A52F,00000001,00000000,?,-00000050,?,0078AB60,00000000,?,?,?,00000055,?), ref: 0078A47B

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: fa0198d7787bc5fbdbbe87620df5501d8142ed5432061454432ff05e38f030f6
Instruction ID: 2115f16e0158e43a3e6b3c4ce165e4dd73c137083b0bb8f8f53e320c435d2172
Opcode Fuzzy Hash: fa0198d7787bc5fbdbbe87620df5501d8142ed5432061454432ff05e38f030f6
Instruction Fuzzy Hash: 9311E93B200705AFEF18AF39D8955BAB792FF80358B14442DE94A87640E3B5B952C740

Function 0078A9B1 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,?,00779D84,00799F68,0000000C), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000), ref: 007828D4

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0078A74B,00000000,00000000,?), ref: 0078A9DD

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 4bd88f3bae874feeb4f957fefa01a8707d4b1cffa9f496622ce31b2bf20b18b7
Instruction ID: 609e4d35438006bb878021fb81031b796101d44ce8930a4b4756ef99e9a48873
Opcode Fuzzy Hash: 4bd88f3bae874feeb4f957fefa01a8707d4b1cffa9f496622ce31b2bf20b18b7
Instruction Fuzzy Hash: 2EF0F932580112BBEF286665C905ABA7758DB40754F05842AEC07B3540EA3CFE42C7A2

Function 0078A4A4 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,?,00779D84,00799F68,0000000C), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000), ref: 007828D4

EnumSystemLocalesW.KERNEL32(0078A782,00000001,?,?,-00000050,?,0078AB24,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0078A4EE

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 53b99bf5bb7028812525f79e991355e5ace8ad840fe663b4f56f69f9d8a4f78c
Instruction ID: 836b577e84214f3ac11964769632cf1e1025365d2b69710de434566956dbe375
Opcode Fuzzy Hash: 53b99bf5bb7028812525f79e991355e5ace8ad840fe663b4f56f69f9d8a4f78c
Instruction Fuzzy Hash: 60F046362403046FEF246F399886A7A7B90EF80328F04802EF9098B680D2B9AC42C740

Function 007C3E90 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

[], xrefs: 007C3F73

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: []
API String ID: 0-1177573720
Opcode ID: 28dc61d89c9962d98ce0a0ff36622ccad2390370d8923358e85aa3a8bf6d6407
Instruction ID: dcb0e007c1d77bd806d1c0c855478c29c799c896d692b55ec0e7203c3bcc2335
Opcode Fuzzy Hash: 28dc61d89c9962d98ce0a0ff36622ccad2390370d8923358e85aa3a8bf6d6407
Instruction Fuzzy Hash: C7811871A483018BD718DF15C89276BB7F2EFD2354F188A2CE5D68B390E7788945CB86

Function 00781A66 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0077C15D: EnterCriticalSection.KERNEL32(?,?,00782506,?,0079A2F8,00000008,007826CA,?,?,?), ref: 0077C16C

EnumSystemLocalesW.KERNEL32(00781A59,00000001,0079A298,0000000C,00781E4C,00000000), ref: 00781A9E

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: de6e6432238c7a5e757767b807a909879858a59921f67b2cb5db9abaccfd7082
Instruction ID: 97cae021b3d26ac8560eb9a0765b5b0e99e65af599db24ed1c5cebaf37390bda
Opcode Fuzzy Hash: de6e6432238c7a5e757767b807a909879858a59921f67b2cb5db9abaccfd7082
Instruction Fuzzy Hash: A6F0A9B2A01204DFDB01EF98E846B8C77F0FB49720F10C52AF524DB2A0DBB949008F81

Function 0078A3BE Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,?,00779D84,00799F68,0000000C), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000), ref: 007828D4

EnumSystemLocalesW.KERNEL32(0078A317,00000001,?,?,?,0078AB82,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0078A3F5

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0efbb79a05ca04a66409144f1e999ae8461e2fc1a55e7142ab0703fad422be8a
Instruction ID: 318a334afad18f7dcce6a3a0d60908fcb6f197bf0c360e9b01ffece8742d3079
Opcode Fuzzy Hash: 0efbb79a05ca04a66409144f1e999ae8461e2fc1a55e7142ab0703fad422be8a
Instruction Fuzzy Hash: EDF0553A340245A7DB04AF39D84AA6ABF90EFC1710B4A405AEA098BA40C6799843C790

Function 007A5220 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 007A5356

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: f5efa319d3dd488e3f6d1fcf97e381c6c2f3aa3dd971b7018fed55a91db49e1d
Instruction ID: 4912bca4fb90f99d20abd1f9a5f792cc8263d7f3503a4fd620648c2da1982b89
Opcode Fuzzy Hash: f5efa319d3dd488e3f6d1fcf97e381c6c2f3aa3dd971b7018fed55a91db49e1d
Instruction Fuzzy Hash: B7B137711097819FC325CF28C88061BFBE1AFAA704F444E2DF5D997782D635E918CBA6

Function 00776120 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000612C,0077532B), ref: 00776125

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a4c4aa8bb72e1c2950e8887e4b07e616860879e5b90f156afe4219f399d5de98
Instruction ID: f7575d83a0f2c3b11976f653108739ffe8ce97eca52c4b92a1ee93a3a63d41bf
Opcode Fuzzy Hash: a4c4aa8bb72e1c2950e8887e4b07e616860879e5b90f156afe4219f399d5de98
Instruction Fuzzy Hash:

Function 0079C411 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

G, xrefs: 0079C416

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 32f39cfcd39d2fca1e4adf9c5c05d18287ee7fddac8ee8f6e62a9c7428c9b440
Instruction ID: 5232d83ec795454aa6d1ab1341cffa20125f3df41492da6d29d6969b79c0c668
Opcode Fuzzy Hash: 32f39cfcd39d2fca1e4adf9c5c05d18287ee7fddac8ee8f6e62a9c7428c9b440
Instruction Fuzzy Hash: F0919971A083418BDF29CE18E09436EBBE2AFD8754F14891DF8D997391D339DC858B82

Function 007CB6C6 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

70, xrefs: 007CB98B

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: 70
API String ID: 0-2551262348
Opcode ID: 7ddf6622d04f510339b21929a58392507fa376e7e854226bdf0b798f7589ce62
Instruction ID: 9f9a1dc5fa11b9e82bfb24695e505fbc182c072f70c84d15d693a544c82981c7
Opcode Fuzzy Hash: 7ddf6622d04f510339b21929a58392507fa376e7e854226bdf0b798f7589ce62
Instruction Fuzzy Hash: A971F578544B818EE325CF35C492BB3BBE1AF93300F18985DD0EA4B782D7796406CB62

Function 007C94C0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 007C96BE

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: f36c6ef7b705075b6d54b99cdb7a5beaeb7a348050dea5910aad33e5420f2c0f
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 1B713732A083158BD755CE2CD888B1FBBE2ABC5710F29C56DE6989B391D338DD45C782

Function 007BB8EF Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

AFG, xrefs: 007BBA56

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: AFG
API String ID: 0-345823793
Opcode ID: a047c3867799e58fd90acd4eb4a036becb2d6078b3202b2663e9e972be915d54
Instruction ID: 9d9486f5fc4aa512b8f80d1064328b5c72697ba643919cc293de60e751a964e9
Opcode Fuzzy Hash: a047c3867799e58fd90acd4eb4a036becb2d6078b3202b2663e9e972be915d54
Instruction Fuzzy Hash: 2251DFB05083518BD714DF24D85276BBBE2EFE2718F24891DE4C55B391E7799801CB46

Function 007C1270 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

yK, xrefs: 007C1284

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: yK
API String ID: 0-406379470
Opcode ID: 103bab004864a21183c742f368020f5ce40f446f566320712d7b46ffbdc40d8f
Instruction ID: d7fde4f07bf93588716ede057e2f82ea325657ca55b3df560aeeb9429b395471
Opcode Fuzzy Hash: 103bab004864a21183c742f368020f5ce40f446f566320712d7b46ffbdc40d8f
Instruction Fuzzy Hash: A051DCB15083409AD704DF11D955B2BBBE1EFC2758F088A2CF4869B691E778CA09CB87

Function 007C1638 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

E#A%, xrefs: 007C1812

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: E#A%
API String ID: 0-367207849
Opcode ID: 78622120879777f33573f43c769fbb12f43f954dd0b782cb80656bf6302fbd3d
Instruction ID: acd1289ac8fb413189d4ae64e8d228fff37449bef767fffe8ad0d1946d695452
Opcode Fuzzy Hash: 78622120879777f33573f43c769fbb12f43f954dd0b782cb80656bf6302fbd3d
Instruction Fuzzy Hash: 9D6167B440D3819FC3149F24D89462BFBF0EF92B59F409A2CF49A8B651E778C905CB96

Function 00771D0A Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

Z81xbyuAua, xrefs: 00771E2C

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: Z81xbyuAua
API String ID: 0-3121583705
Opcode ID: acc2d52d08297fed4364cb0f45b569dab10b4b721943c9cede30003cefe5464d
Instruction ID: 16933cdb81ef43d838c7d4a8fb82f1c1f990a9e7cef6a19cdd5635e76f475a14
Opcode Fuzzy Hash: acc2d52d08297fed4364cb0f45b569dab10b4b721943c9cede30003cefe5464d
Instruction Fuzzy Hash: 33410B76E1062B4BCF5CEEBCC85A0AEBB65EB46350B448279DD15DB3D1E1388A01CBD0

Function 007DAB76 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

;:54, xrefs: 007DAF59

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: c818157a73c16142e8122bd0a8c6c922aa2da90de37aa1f11ca27cbacc94ada3
Instruction ID: 67b9765d6532dc425bec52ba30fd8c89d5f83606712f7522d110e6d7da542804
Opcode Fuzzy Hash: c818157a73c16142e8122bd0a8c6c922aa2da90de37aa1f11ca27cbacc94ada3
Instruction Fuzzy Hash: 0B31E1B59112158FDB29DF04C851B7AB7B1FF85300F1980AED886AB361E778DD01CB9A

Function 007DB1E4 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

;:54, xrefs: 007DB25F

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: cf1c89b90f6fc0d63483bbe0acdd1e5d75d641d2c763c8e0993f9a39026f4eec
Instruction ID: d788a9d6bbe21dde71730960086acbdfdf65b83c3e39807ad6ca9933e12cfe69
Opcode Fuzzy Hash: cf1c89b90f6fc0d63483bbe0acdd1e5d75d641d2c763c8e0993f9a39026f4eec
Instruction Fuzzy Hash: 85212432A40149CBEB15CF24C891B7EB772FB96314F1A817AC445BB35AC7345C058B95

Function 0078ACE2 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0078ACE2

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b414fd4a3c8fa55712f6a706491eacb6e1667faffe4df476eca7df4b0b79ef2d
Instruction ID: 9dc0b8345042ac0ddba32a05cecb24cec1d29ba13ebc5a13d41d7c0ac7d71c23
Opcode Fuzzy Hash: b414fd4a3c8fa55712f6a706491eacb6e1667faffe4df476eca7df4b0b79ef2d
Instruction Fuzzy Hash: 94A012302021018B43104F305B042083599950858030480255008C4060F62840505709

Function 007A6850 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e76c1e3d9f13e3817f4de1b04d01435aeba196af99b46078f93bf9017278d34
Instruction ID: f2ed45da8799377f326f3b39920be54272b7d9bfaf7bc853ac5c46aca52b03b7
Opcode Fuzzy Hash: 1e76c1e3d9f13e3817f4de1b04d01435aeba196af99b46078f93bf9017278d34
Instruction Fuzzy Hash: 6B52D432608311CBC725DF18D88027BB3E2FFD5314F298A2DD9D697295E739A951CB82

Function 007BCDB0 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87969b4e125e02005b78cd35e8d09b9bafcfa8083a7cc9fa26eaa2513dc859b8
Instruction ID: f14a449599af45e011b7b1d73e669a4d6af25bfbddb75f73a7271f539454adef
Opcode Fuzzy Hash: 87969b4e125e02005b78cd35e8d09b9bafcfa8083a7cc9fa26eaa2513dc859b8
Instruction Fuzzy Hash: 3C7249B0518B818ED3628B3C8849797BFD56B5A324F088A5DE0FE873D2D77864058B66

Function 007BBCD0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef058b748bf338f25af5a18c54c273d0bd98d4ae633e31a5605fc25b82b61e3
Instruction ID: b323ec00d9325cb23ed557739ae80492c88444c7b4bd3006a55a73b5eb171f2a
Opcode Fuzzy Hash: 9ef058b748bf338f25af5a18c54c273d0bd98d4ae633e31a5605fc25b82b61e3
Instruction Fuzzy Hash: F432B072A083419BD735CF15CC51BABB7E2FBC4714F19892DE9899B280D739A811CB92

Function 007A5D40 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8784927a265cd564dffceda2761e89eb07e4950fa1efd88fa637bc5e6c87d68f
Instruction ID: 0468c5ada2ff14981e611d0bf0f89717e0e835a46e91adf6b2604dc9ea8e4a9a
Opcode Fuzzy Hash: 8784927a265cd564dffceda2761e89eb07e4950fa1efd88fa637bc5e6c87d68f
Instruction Fuzzy Hash: 2652B770908B848FEB35CB24C4847A7BBE1EBD2314F184A2DD5EA46BC2D37DA985C751

Function 007A1D50 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fcbbd3b9e49f22bcd552b99b501a40e0b07a2d02f9984baf02521e964c93dc
Instruction ID: c21b2a3c0a1675243507e0aab5dc9e6a549291fe7ee1e04fd43ce5775058346a
Opcode Fuzzy Hash: a0fcbbd3b9e49f22bcd552b99b501a40e0b07a2d02f9984baf02521e964c93dc
Instruction Fuzzy Hash: 3352B1315083458FCB15CF28C0906AABBE1FFCA314F598A6DF89957352D778E94ACB81

Function 007A2750 Relevance: .6, Instructions: 626COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5c0e7073f5dc37fb4dd4879f6ae709eae8cc347cce3d24bd1f52d49b0d686c
Instruction ID: 2f2a3548a12d30ced8e56e507dd12f903050ac717a26add2c36c608e956337b7
Opcode Fuzzy Hash: cb5c0e7073f5dc37fb4dd4879f6ae709eae8cc347cce3d24bd1f52d49b0d686c
Instruction Fuzzy Hash: C5421370615B108FC368CF29C59052AB7F2BF96710B644A2ED69787F92D73AF846CB10

Function 007BBBFD Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceaa2a06f107117e92b69d52cb419528322a354f5023b0e47892e28149cb5760
Instruction ID: 25b1b09500661cf12430b430bcf49049fc6afda568ddeddf00855db08e189bfd
Opcode Fuzzy Hash: ceaa2a06f107117e92b69d52cb419528322a354f5023b0e47892e28149cb5760
Instruction Fuzzy Hash: 6B0218716093808BD335CB25C851BAFBAE2FBD5714F29CA2DD5C99B642D7388806CB46

Function 007A4D60 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f317b1c45da6b7f69229d822e0b87c9ef474591575714757b3a0506e6ec10e7a
Instruction ID: 8c07b0d5e8cec74f600aa6aea314332d11313bfe64a35e39ae95a29d1a4ceb18
Opcode Fuzzy Hash: f317b1c45da6b7f69229d822e0b87c9ef474591575714757b3a0506e6ec10e7a
Instruction Fuzzy Hash: 93E15771208745CFC724CF69C880B6BBBE1AF99300F44892DE9D587752E679E948CB92

Function 007DC120 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fccb7de9b762700f8477539d744cfe2f57d2a4447d09e8afa9043c8d60d13de
Instruction ID: 536cb38690c1ca4da0e053673beae8ad2f2e5228cafa65f52f06de4911561695
Opcode Fuzzy Hash: 3fccb7de9b762700f8477539d744cfe2f57d2a4447d09e8afa9043c8d60d13de
Instruction Fuzzy Hash: B5B157B2A083158BE714DE68DC4576BB7E5ABC4324F09463EE995D7381FA38EC04C782

Function 007C75D0 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6327611ef9380b6a77c60f8dcddb43d4f4b96d1b047fc0209dbb85d4543903f4
Instruction ID: e88fe5ee7322f7d73d7d5b7b93b79127e484060c8c2fb5da3021cafd4c1eb8c9
Opcode Fuzzy Hash: 6327611ef9380b6a77c60f8dcddb43d4f4b96d1b047fc0209dbb85d4543903f4
Instruction Fuzzy Hash: 7F81357560C3128BC7289F28C8927ABB7E1EFD1364F04992CE9C55B391E77D8805DB92

Function 007A7570 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da664209c0d61269e910edee4740a7f952b00b9703a90649d3065fd3032e2306
Instruction ID: ca84abd2f827736334b9c157757a6eae88ae9600ae992af9ffea8209e7d5b9a2
Opcode Fuzzy Hash: da664209c0d61269e910edee4740a7f952b00b9703a90649d3065fd3032e2306
Instruction Fuzzy Hash: 72A1E732F095614BC329892CCC9539A76D7ABC3720F6ACB55D895DB3A9E63C8C41C7C1

Function 007CBA18 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24913e8d40f006febfdb1bba54a985d39d1a64e6ae7ca832070ccb2e41f6021
Instruction ID: d25d11b97b817bc2d80688fc1188bf397d50e13c1f7f581b8dbd00f88055c053
Opcode Fuzzy Hash: b24913e8d40f006febfdb1bba54a985d39d1a64e6ae7ca832070ccb2e41f6021
Instruction Fuzzy Hash: 0DA1E375644B418FE321CF25C882B63FBE5AF95300F18CA6DE4EA8B386D779A805D750

Function 007DE690 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efb06e421345c03027bb9fd64724cd93adeae7aebfe92c7abde81bcce0017db
Instruction ID: 2bd11c8fedfb8cf85aa61dba861490d220b2ce81d6742099ef780d95e935b723
Opcode Fuzzy Hash: 9efb06e421345c03027bb9fd64724cd93adeae7aebfe92c7abde81bcce0017db
Instruction Fuzzy Hash: C791D5356053068BD729EF19C891A2FB7F2EFD9710F05842EE9858B351EB35AC15CB82

Function 00789BCD Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 77e493927581bf87336f3e7c16c95841f1873aa87b103d4ced890db9c2e86859
Instruction ID: c35e1d648f55b82a71ba10422635d1b5e1ffb3bb027ee404bca7a89d046b2ffc
Opcode Fuzzy Hash: 77e493927581bf87336f3e7c16c95841f1873aa87b103d4ced890db9c2e86859
Instruction Fuzzy Hash: 7BB1E3366407419BDB38FB24CC96AB7B7E8EB44308F58446DEB47C6680FA79E985C710

Function 007DEA00 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c40261ca8ba72c73c495f6389f2f05eabddfcb1384c35f40e7eee04170ba9c0
Instruction ID: 9c7004771f5d414a03641d36a66f3de37d1335ae2aacc733edf5aac63cee1c6f
Opcode Fuzzy Hash: 6c40261ca8ba72c73c495f6389f2f05eabddfcb1384c35f40e7eee04170ba9c0
Instruction Fuzzy Hash: 5FA1B375A183118BC725EE18C88162BB3F2FF89710F19882EE9869B351D779AC51CB91

Function 007DE320 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310457f3d82f4427a0740cd289bd02b7a71dc49b08435cb4fd3b8a365d6893c9
Instruction ID: 9dbb274d72d5d50ad69dec7c63975b01becbbe9b80800824a9356726897200ff
Opcode Fuzzy Hash: 310457f3d82f4427a0740cd289bd02b7a71dc49b08435cb4fd3b8a365d6893c9
Instruction Fuzzy Hash: A79126356083119BC728EF18D891A3FB7F2EF99754F19883EE9868B351E7389C118752

Function 007C9D06 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9360df3f25a527240e21665a412fb944a27a1991fd43376e7227af7952bf6759
Instruction ID: 4f660a149735affa86dc90de041fd02917e72409dad94f3e20ef4ef7cb0b0ca3
Opcode Fuzzy Hash: 9360df3f25a527240e21665a412fb944a27a1991fd43376e7227af7952bf6759
Instruction Fuzzy Hash: 5CA1C371604B818FD739CF3A8460BA3FBE1AF96314F18896DC5EF87682D679A4058B50

Function 007A58B0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c2db3a552e06711759cc7f59c202e29a1d7f0400d16efebe1946d65a83b380
Instruction ID: 03dfa7b618f6e403fc9a03af37fe14220c46db0ecdca786ee96b9af27899a071
Opcode Fuzzy Hash: e8c2db3a552e06711759cc7f59c202e29a1d7f0400d16efebe1946d65a83b380
Instruction Fuzzy Hash: DFC16DB2A487418FC360CF68CC867ABB7E1BF85318F484A2DD1D9C6242E778A155CB56

Function 007DED80 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a144deda47f969a265caedc437cf17c65c6f861d613448f379390e5419fda1
Instruction ID: 3d00f186f67f61d8854e32c91f76a8557d0860a51856745448ab496418113cc1
Opcode Fuzzy Hash: a0a144deda47f969a265caedc437cf17c65c6f861d613448f379390e5419fda1
Instruction Fuzzy Hash: 6E810432B083015BD729AF14D882A3BB3B7EBC5314F19C93EE9859B391DB799C058781

Function 007CE060 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66c4c1104efa3e2ffb3d87ef5e2ce7a50c76b5fb15f7f8c87c2091cf2b99a81
Instruction ID: 394a98b4f0906555f7b631a9add7c94296cee273dac126a404a468a600f16e01
Opcode Fuzzy Hash: e66c4c1104efa3e2ffb3d87ef5e2ce7a50c76b5fb15f7f8c87c2091cf2b99a81
Instruction Fuzzy Hash: F3913437A099918BD7188A3C8C517B9AB936BD7334B3E837DD8B28B3D5D53D88029351

Function 007D8690 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba85a5e5c57bc10a49607dfe779fa9766c141884a2065fc55b2dfb5de6bc8bf
Instruction ID: 2dc31cc5593dc736c07ef62f000452c85f89b5127737d9351c50bd4507013785
Opcode Fuzzy Hash: 8ba85a5e5c57bc10a49607dfe779fa9766c141884a2065fc55b2dfb5de6bc8bf
Instruction Fuzzy Hash: D5711632A043619BD7509F6CC880B6BB7E6EB85360F1E893ED8C49B350DB799C418783

Function 0079FD98 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7c7cf9c83713f18a2dc978b38566f819d7b34974c61570317428b2257af73a
Instruction ID: 0b59b3b9d21b1dd4f05bfcf4bc24ab5b8363258304d96415fecfe3a149210f9f
Opcode Fuzzy Hash: df7c7cf9c83713f18a2dc978b38566f819d7b34974c61570317428b2257af73a
Instruction Fuzzy Hash: 0B81E472A083518FD7258E54C48076BB7D1AFE6304F198E6DE88A8B352E779DC48C7C2

Function 007BFF60 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bceb990cec0391a6aaf9255d29bd7a7be4f8aada7ec52a9a664f21aa479d45d
Instruction ID: 3d1d54520b1d6a3d76ed2313fe471879894398b3434b388d23e2256f140279cb
Opcode Fuzzy Hash: 7bceb990cec0391a6aaf9255d29bd7a7be4f8aada7ec52a9a664f21aa479d45d
Instruction Fuzzy Hash: 3D51BFB1600204DBDB209B64CC86FB773A4FF82768F19851CF9858B291F379E944D7A2

Function 0079FD00 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85397a2b1c0e167ccc31b55fd800911c9da30d14a5a927e4a84bec90224bcb7
Instruction ID: 412a221c4e2baa845ad2398b09c927dee186c78f2992f0ba0c2f7e304a5a082c
Opcode Fuzzy Hash: a85397a2b1c0e167ccc31b55fd800911c9da30d14a5a927e4a84bec90224bcb7
Instruction Fuzzy Hash: 6E71DA72A097424BDB258A18E444326B6D3BFE2314F1DC67DD8AACB392E779DC05C381

Function 007C6C50 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb87c5e73c25e89aa7e9c3a90b3b4628f02d422021cfb59b068247ebb9a09f7
Instruction ID: d804aae5ac89ff4ac108fe1cb5bc8dbdc190fcbee8c08af324af93c75effb333
Opcode Fuzzy Hash: 5eb87c5e73c25e89aa7e9c3a90b3b4628f02d422021cfb59b068247ebb9a09f7
Instruction Fuzzy Hash: BC71C471A0C3918FD724DF28C89175FBBE1EBC6310F15892CE9E96B381D77998058B92

Function 007A89A0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b827573b30ceb2436410f9e63cd746bfd8cb727d63d0118aa901de86d3792b
Instruction ID: 2a0e05726a07f275c8f94c4b21c55aa99ea94524e1303af56303efd159cf6a01
Opcode Fuzzy Hash: e6b827573b30ceb2436410f9e63cd746bfd8cb727d63d0118aa901de86d3792b
Instruction Fuzzy Hash: 2751127375A69147D368893C4C223A7BA830BD3334B2EC37AE5B5CB3E1D96988024256

Function 007B85CF Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66e03809d4772ec8fbbce53a1dd5d239ef58bc7d2fc2ae2d2e4073537ea0e90
Instruction ID: f3727a6222e9071b654d79b07e9ff85788be63c4c32c34c856d4cbbaaeccb93a
Opcode Fuzzy Hash: f66e03809d4772ec8fbbce53a1dd5d239ef58bc7d2fc2ae2d2e4073537ea0e90
Instruction Fuzzy Hash: 1161FB73E142108BD768CF28CC4176BB6D6E799314F6A893DD889E7241DB39DC018B86

Function 007C4234 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb88dd8d5d1c701eaa9d8bf4b27ce6617c6756c7bbbdd7eb5542df5c5a3c400
Instruction ID: 2d4aaf9eb20c09165e6f15d15e1b5510c10d7400659300f6873181f02cc30738
Opcode Fuzzy Hash: 9eb88dd8d5d1c701eaa9d8bf4b27ce6617c6756c7bbbdd7eb5542df5c5a3c400
Instruction Fuzzy Hash: AC519A7254C7528BD7208E2898F1B6BBBA1EF81310F58872CD992073C2D339EC15E392

Function 007D3870 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28944043d57d33c0e1af6b5e668860694da2a871386fddd49675c3e6474336c9
Instruction ID: 048fe4abb064d6e8512f296014147678d80625cb58a662ca3a4969db40a7cf63
Opcode Fuzzy Hash: 28944043d57d33c0e1af6b5e668860694da2a871386fddd49675c3e6474336c9
Instruction Fuzzy Hash: 64515CB16087548FE314DF69D49475BBBE1BBC4318F044A2EE4E987351E379DA088B92

Function 007C5EC0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae4fe35c4a224991ff4d3d8ffec9455101fa03dc48e26ccc02a11722936ec64
Instruction ID: f1ae1614c6192ea68116904831621220b0808017d0b109395a498a2647cabd31
Opcode Fuzzy Hash: 2ae4fe35c4a224991ff4d3d8ffec9455101fa03dc48e26ccc02a11722936ec64
Instruction Fuzzy Hash: FE510872914B154BDB1CCE2C985063AB3D2ABC5300F89867DDD569F386EB35ED04D781

Function 007DDE10 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b323b06af33acb73dbe289efa0c2e1d492ec7b6e0cae3162839ae2fcac5097
Instruction ID: f36650c7e9846fe2fbb8e432ffe1c0760f594054b7e69713e7f2bd3d919c94e2
Opcode Fuzzy Hash: c7b323b06af33acb73dbe289efa0c2e1d492ec7b6e0cae3162839ae2fcac5097
Instruction Fuzzy Hash: CC4144367443015BE3389F68CC81B3BB7A7EBD5304F29883EEA9A9B391D6759C118741

Function 007A0520 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3078c5870f50b24a7d3272fd7b7eedbe317f329723c22771648626802734d7
Instruction ID: 89d8325a5358bd548dbd8e7fc442970b51199824ec94d475200531285d00d54a
Opcode Fuzzy Hash: 0c3078c5870f50b24a7d3272fd7b7eedbe317f329723c22771648626802734d7
Instruction Fuzzy Hash: 20515175A04201DFCB14DF18C880926BBA1FFCA368F154B6CE8999B352D635EC52CBD2

Function 007D8960 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c910e67130a60d1e33c06601a7a93ad7a5b57976b98dee142a21769242446fb
Instruction ID: 24f65d7051d52cd8dd560d0b27d509c91fd5e70eeda435d280fce6ecf877d8e2
Opcode Fuzzy Hash: 3c910e67130a60d1e33c06601a7a93ad7a5b57976b98dee142a21769242446fb
Instruction Fuzzy Hash: 1241AA346082119BD7619F68D890B3BB7F5EB85340F18C82FE8C58B391DB799C40CB96

Function 007CA847 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0943fc64f24cba62103d67680eba0a3a313f770df436951548d32c879950bda8
Instruction ID: 9ab9fc251194f7aeb6b7e072f6972b0dc57c88ee9ed870a0fa5a9d226075ffd5
Opcode Fuzzy Hash: 0943fc64f24cba62103d67680eba0a3a313f770df436951548d32c879950bda8
Instruction Fuzzy Hash: D231F4B0604B868ED7258F3584A0BB6BBE0AF53309F18459DD0EB9B242C778A406C765

Function 007CA844 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe67c3a73c45f9d0cec36c04150b99da77450c86d638be15714901631a55fbce
Instruction ID: 496e9378fd5c3bb95e003c34a59b6069c23e6512853b7497f535845b73eeebd4
Opcode Fuzzy Hash: fe67c3a73c45f9d0cec36c04150b99da77450c86d638be15714901631a55fbce
Instruction Fuzzy Hash: 4931F4B0604B868AD7258F3584A0BB7FBE0AF53309F19855CD1EB57382C778A406CB66

Function 007C46A1 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62398c5841f92a0bf12dbc446fb033ff39179e9e8dd196dc0ec75556d5a44602
Instruction ID: 445df0ce3d67b10376ac7aa22cc4e11294750247b3f2f290d85f3ddd259044ec
Opcode Fuzzy Hash: 62398c5841f92a0bf12dbc446fb033ff39179e9e8dd196dc0ec75556d5a44602
Instruction Fuzzy Hash: 4A213671605240DFDB249F54A864F7E37F2FB57340F15583CE0C1AB516C329C8118B8A

Function 007D5260 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805618d78dd3bab6080c38942e6646fc2923eccc631d31120460989af68852de
Instruction ID: 36b5869e942cc67249970386313927f405c061e391476acbd08bb8e64ca0041c
Opcode Fuzzy Hash: 805618d78dd3bab6080c38942e6646fc2923eccc631d31120460989af68852de
Instruction Fuzzy Hash: 4031397290D7248BD3245D3D889036EBAA26BC1774F1A872FDCB6873C1DA784C4153C1

Function 007DB899 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a12aeac5f2b7e93ee930f601c6cebdd4206e93e1557a40b92731c5813029d9
Instruction ID: 978e3850867294b980d8682e61f41ab4e84ee5fbf918ad62033d0019b8dc6c73
Opcode Fuzzy Hash: 35a12aeac5f2b7e93ee930f601c6cebdd4206e93e1557a40b92731c5813029d9
Instruction Fuzzy Hash: 1B310872A0C7598FD308DF3888A522BF7E66BCA310F19C13EC59597391DB38E9058784

Function 007C0E10 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4dd7aaad70d44a22e43d736a9c01a3facf8d80a14004c0718d77846a31c01a1
Instruction ID: 8365d607d11b54a77a2144f6f43e671357526643be0cf9d6da4a226bc6b0a97c
Opcode Fuzzy Hash: e4dd7aaad70d44a22e43d736a9c01a3facf8d80a14004c0718d77846a31c01a1
Instruction Fuzzy Hash: D111E2757443029FD7149E14C881BBBB7E2E796314F18892CE0C4E7292C378D81AABD5

Function 007B0B18 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fc720b131f83f0c24bcbdd8a65296845fd7c1fb0f5e3b560e96833d3e78c8f
Instruction ID: c7a6b06e98ec69b448883986ab67e72e96e1556b22bfa42f17e8bb59be47ea17
Opcode Fuzzy Hash: 18fc720b131f83f0c24bcbdd8a65296845fd7c1fb0f5e3b560e96833d3e78c8f
Instruction Fuzzy Hash: CC215A76749B424BD369CA34C8957A7BBD2AB99310F0D843DD49FCB3C6D978B8018700

Function 007B94E8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0361d5d8a90bba5f934f2236c411d58d14960e51211198a33939c5894c9d5105
Instruction ID: 910e1a6fddbc46c2712644d60630ba1e28ea64a7eb40e7660bd05e663f7bfbd3
Opcode Fuzzy Hash: 0361d5d8a90bba5f934f2236c411d58d14960e51211198a33939c5894c9d5105
Instruction Fuzzy Hash: 05212472B042118BD328CF38CCC176BB6E2FB96310F19853CE6959B285EB38DC1587A1

Function 007D1C20 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 9ec62c8a4bc860c90e857c1cff0781cceb39864b571b44dfe0cf7cc862870f20
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 0A11A933A551E40EC3168D3C84405A5BFB30AD3675F99839AF4FC9B3D2D6268D8A8365

Function 007C8AE0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c567e6d3feabf2612158f17b3ddead43c828b89f7b50619300ace4a50606ce
Instruction ID: d931a630873543fc7226e53f329d68095bb1980fee55be4c7b5020b00a6c7ca7
Opcode Fuzzy Hash: 85c567e6d3feabf2612158f17b3ddead43c828b89f7b50619300ace4a50606ce
Instruction Fuzzy Hash: 0601BCF1A0034197DB60EE1598C5F2BF3A86F82714F09452DE8094B202DF79FC15D6A6

Function 007C5651 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7358a63000bf5d8959b9e319c35d4bfbf4078b59232f5ac02b281b6c3e20f1a4
Instruction ID: a5c6b6bc3eb0499e1c0e7313ec0229d3182023884398457de07756b509503139
Opcode Fuzzy Hash: 7358a63000bf5d8959b9e319c35d4bfbf4078b59232f5ac02b281b6c3e20f1a4
Instruction Fuzzy Hash: 79018150408BC28AD7128F259050B32FFE59F23714F68258DD4D65B652D36AF846CB21

Function 007C8F88 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba469ef2f70924d2221b1b416b0e43c707a1a0daa4e008d95f594c44a12977d5
Instruction ID: a6128bcde81c11b55e39aed97c11f340027009771054f9c140f1edae2021225e
Opcode Fuzzy Hash: ba469ef2f70924d2221b1b416b0e43c707a1a0daa4e008d95f594c44a12977d5
Instruction Fuzzy Hash: 6011A56209D1C1C7D3170F324868096EB55FF8F21D75BC3DE88890DC96A57E86438241

Function 007CB318 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a9d51bef5431e3fd5d212fb9384805742d1edf2040dc6c9207c59f80b03120
Instruction ID: 5ef68dc12cd7e5653361eda5463748b1c798dbceb980b5a755e1916211e96b8c
Opcode Fuzzy Hash: 14a9d51bef5431e3fd5d212fb9384805742d1edf2040dc6c9207c59f80b03120
Instruction Fuzzy Hash: CE11E562A05B818FD725CB36C451B63FBE2AB93300F1885ADD4EB4B696C678A4028711

Function 007AA1CF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e29738492007c081fbded4737b4e5ca202ae310da255307554801b34e9844f9
Instruction ID: 423a0a1ec024c49f40f089c06ab216f05e08aaa4e65d07f603b37ac4fde0274e
Opcode Fuzzy Hash: 1e29738492007c081fbded4737b4e5ca202ae310da255307554801b34e9844f9
Instruction Fuzzy Hash: FB01D434548B809FD3368F258890BA7BBF0EF23728F10592CD8C357A92D268F805CB18

Function 007A4B39 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4723d71c792598418a79dd83a8a5e36cea143ecb0307ed192101c4e328a3e7d0
Instruction ID: 42f9f5a0f1a7477b8b50236f60cc26cd77e8768e74550a69cdf06be488df561b
Opcode Fuzzy Hash: 4723d71c792598418a79dd83a8a5e36cea143ecb0307ed192101c4e328a3e7d0
Instruction Fuzzy Hash: 9A117B2524E3C19E83A2C67D08D008FAEA25EFB000FD89E9DF6C01B34BC1A59559C7A7

Function 007CA3C8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a66bce832a49a6c725596cb80bc8d18f9861282f518c8fa987a4c21f54a733a
Instruction ID: b6826d3e3167c1bd5bcd551f38f399767356099921f301ca4c91fc6a130f2725
Opcode Fuzzy Hash: 9a66bce832a49a6c725596cb80bc8d18f9861282f518c8fa987a4c21f54a733a
Instruction Fuzzy Hash: D1F0A090A093C14AD22746384A806ABAF669BE3659F0CEA7DC3C267907C13C5803925E

Function 007DD600 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844485c22e43cb4b882ced447edefd6223d56b687558d3ac15821161b08e7fd9
Instruction ID: dbd74d901099577c183b914e043baa062771be724b032fe79d3fb8a028dce028
Opcode Fuzzy Hash: 844485c22e43cb4b882ced447edefd6223d56b687558d3ac15821161b08e7fd9
Instruction Fuzzy Hash: 54015A05FD96F88D93320B7180788B6AFF248AB561B8E82D6D8E81F753C508DD00A790

Function 007AA1B8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10ac84ea4a9ab5c38103feec5afd3468d147419f941dbeb2886a186b71f26c2
Instruction ID: 1f6fad02c9545300ce6650766a6d20bc9d72c1fc8d1d9690730f8eda697e875c
Opcode Fuzzy Hash: f10ac84ea4a9ab5c38103feec5afd3468d147419f941dbeb2886a186b71f26c2
Instruction Fuzzy Hash: 1C01F439104780AFD3218F698C80BABBBF0EF03308F54952DE9C356A85C328B006CB14

Function 007A8D4C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ac0694fb0f4b8dfb50f4d8b8e4206b221babd556a570f82098f20f136e5c0b
Instruction ID: 83156b2bc6495a255b0650938dd43a084d89f3e9376d406964216cf6bc300744
Opcode Fuzzy Hash: c9ac0694fb0f4b8dfb50f4d8b8e4206b221babd556a570f82098f20f136e5c0b
Instruction Fuzzy Hash: AFF0D4BDC94050BFD711AFA6BD47A283A71B75320DB485136F405A2331FB3648208B1A

Function 007DD000 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78edffa7b573886e81dc5ea769639d0d8f278512bc544eaf8f5d486ae1be2de7
Instruction ID: ab14f53f23aa1d159b8a90404ddc3141790735b43495a46556c147f40a2a3621
Opcode Fuzzy Hash: 78edffa7b573886e81dc5ea769639d0d8f278512bc544eaf8f5d486ae1be2de7
Instruction Fuzzy Hash: 4FE0222450D2409BD3081B39589453FBBF5DBD7220F24AE2DF0D2532E1E5318C46CB16

Function 00782B5D Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dd7c0d121006efe31c3cd602c915a0361a8b0e70717307f03d36f8c7cad8ac
Instruction ID: f045951d938f0127b4f4876df9cb84fcf4091b14091ee5984fd5fdf65e257554
Opcode Fuzzy Hash: 49dd7c0d121006efe31c3cd602c915a0361a8b0e70717307f03d36f8c7cad8ac
Instruction Fuzzy Hash: 9CE08C72A52628EBCB14EF88D90898AF7ECEB44B91B11459AB505D3201D674DE01CBD0

Function 007D6C10 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 39f154c6ecdbd3f5699d079ac53566b94033fc384f7dba7e1b62eb96653841f1
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 0DD0A721608321469B748F19A400977F7F0EAC7B11F49955FF9C6E3248D234EC41C2B9

Function 007DA940 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09f8a49d48ab82d443c33869e060a500f6a201bafaa263f3fe6f9a5e939af5a
Instruction ID: 063504dd53b0fc4ad4c1ec175fa06b0f7cac455b4ee358c4827750378d3c494d
Opcode Fuzzy Hash: b09f8a49d48ab82d443c33869e060a500f6a201bafaa263f3fe6f9a5e939af5a
Instruction Fuzzy Hash: A6D012789441046B51189B199D97D73767DDAC3654B002528B942D7754C990DC11C6AD

Function 0077F4C6 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b479a11ccc6c2eceaea55d319ac4cd762b21b8c39f808f14f8525f6a159b148
Instruction ID: c43143f4a4cf470cd6b227c9fe5bf33ab1e3c78856d061283a7712aa96fb1db1
Opcode Fuzzy Hash: 5b479a11ccc6c2eceaea55d319ac4cd762b21b8c39f808f14f8525f6a159b148
Instruction Fuzzy Hash: 19C08C3404198187CF39DE1083713A63354A392BC2F80049CC40A8BA42C91E9C87DB00

Function 007DD494 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf97a0a2d9e260e662089778e3d8ff8c4c66212005e30a8000619c477893c36e
Instruction ID: 468266b5acc582a87efa876116bc750fb4fd01ddaeb776e1c050398729ceb85f
Opcode Fuzzy Hash: bf97a0a2d9e260e662089778e3d8ff8c4c66212005e30a8000619c477893c36e
Instruction Fuzzy Hash: 21A00278E5C01086A608CF31A850471E3B96B5F220F5134288045B7451D510D440855C

Function 007D4F57 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239dfaca31a6bc3804ab5446496ef7b7421d39337efb44b0babc25535ff7a4a0
Instruction ID: c56c614e626fbaefe015df4c265e8ac3e17c0e28fff5c33c6961e53a6ab25fc2
Opcode Fuzzy Hash: 239dfaca31a6bc3804ab5446496ef7b7421d39337efb44b0babc25535ff7a4a0
Instruction Fuzzy Hash: 71900264D4A1008681418F049440470E378620F101F107450D118F3011C260D400550C

Function 0077516A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00775170
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0077517E
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0077518F
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 007751A0

Strings

GetTempPath2W, xrefs: 00775195
kernel32.dll, xrefs: 0077516B
GetCurrentPackageId, xrefs: 00775178
GetSystemTimePreciseAsFileTime, xrefs: 00775184

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 8bcfaf172e376eb24d89f050d76e01e127be8d93f6ff66ba694266604cd4623d
Instruction ID: 33d4d9ff41b92d45f6d786d5dfb7553fd8546622954663b679f997ed46a8e409
Opcode Fuzzy Hash: 8bcfaf172e376eb24d89f050d76e01e127be8d93f6ff66ba694266604cd4623d
Instruction Fuzzy Hash: 37E046F1A866D9AB8B106F79BC088553BA9AA092803018116F600C6268E27D08668B5C

Function 007786D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00778707
___except_validate_context_record.LIBVCRUNTIME ref: 0077870F
_ValidateLocalCookies.LIBCMT ref: 00778798
__IsNonwritableInCurrentImage.LIBCMT ref: 007787C3
_ValidateLocalCookies.LIBCMT ref: 00778818

Strings

4=w, xrefs: 007787DC
csm, xrefs: 007787AD

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: 4=w$csm
API String ID: 1170836740-1306970713
Opcode ID: 439789538d03e7fc99aa96ab286f312d3895b64347699ee1c9b5f13665141c3a
Instruction ID: a26b513a54d0729c138497cdc6a7d390d2a4e271dc2d320e2a80454e258a12c0
Opcode Fuzzy Hash: 439789538d03e7fc99aa96ab286f312d3895b64347699ee1c9b5f13665141c3a
Instruction Fuzzy Hash: C541E834A40208EFCF14DF68C889A9E7BB5AF05354F24C155E91D9B352DB399A11CBD2

Function 007735FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00773603
std::_Lockit::_Lockit.LIBCPMT ref: 0077360D
int.LIBCPMT ref: 00773624

Part of subcall function 0077166A: std::_Lockit::_Lockit.LIBCPMT ref: 0077167B
Part of subcall function 0077166A: std::_Lockit::~_Lockit.LIBCPMT ref: 00771695

std::_Facet_Register.LIBCPMT ref: 0077365E
std::_Lockit::~_Lockit.LIBCPMT ref: 0077367E
Concurrency::cancel_current_task.LIBCPMT ref: 0077368B

Strings

4=w, xrefs: 0077366B

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: 4=w
API String ID: 55977855-2024421503
Opcode ID: 799a44bcc459472659476dc3dd887340586e68121db06c05892b12b1a93d4032
Instruction ID: 0e338dc1d52cc18ce482562fb3e5d35f67b369df3b319320952e11e7e85abf5d
Opcode Fuzzy Hash: 799a44bcc459472659476dc3dd887340586e68121db06c05892b12b1a93d4032
Instruction Fuzzy Hash: A511E171900215EFCF04EB68D8497AE77B4EF447A0F60841AE409AB391DFBC9E018791

Function 00778C38 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00778D57
___TypeMatch.LIBVCRUNTIME ref: 00778E65
CallUnexpected.LIBVCRUNTIME ref: 00778FD2

Strings

csm, xrefs: 00778C75
csm, xrefs: 00778D8E
csm, xrefs: 00778CE2

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: 186232f5c05abc0040593e17e1a35bc01f8962e5d397ffc1a7e5792ee8788015
Instruction ID: 0765ddde1795ba015fbecd352a28947b59b1218d3e8db319d13369adc39133a3
Opcode Fuzzy Hash: 186232f5c05abc0040593e17e1a35bc01f8962e5d397ffc1a7e5792ee8788015
Instruction Fuzzy Hash: 92B1A031D40209DFCF64DFA4C8499AEBBB6FF14390F148159F9186B242DB78DA11CB92

Function 007732C5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007732CC
std::_Lockit::_Lockit.LIBCPMT ref: 007732D7
std::locale::_Setgloballocale.LIBCPMT ref: 007732F2
_Yarn.LIBCPMT ref: 00773308
std::_Lockit::~_Lockit.LIBCPMT ref: 00773345

Strings

4=w, xrefs: 00773314, 00773338

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_SetgloballocaleYarnstd::locale::_
String ID: 4=w
API String ID: 156189095-2024421503
Opcode ID: 8095a09791da7ff5de8c2dc8594d3cb1f977e115182df6ddc4fb97c454a4fbf2
Instruction ID: c6bc4d252eae3396c224fa8fa55a106b1102bb2de6f60761448a3f09711d968a
Opcode Fuzzy Hash: 8095a09791da7ff5de8c2dc8594d3cb1f977e115182df6ddc4fb97c454a4fbf2
Instruction Fuzzy Hash: BD01DF71A00251DBCF0AEB60D89997C7BA1FF89790B14C00AE8095B391CF7C6E42DBC5

Function 0077F4E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,AB595993,?,?,00000000,0079060C,000000FF,?,0077F478,00000002,?,0077F44C,0077C216), ref: 0077F51D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0077F52F
FreeLibrary.KERNEL32(00000000,?,?,00000000,0079060C,000000FF,?,0077F478,00000002,?,0077F44C,0077C216), ref: 0077F551

Strings

4=w, xrefs: 0077F540
mscoree.dll, xrefs: 0077F516
CorExitProcess, xrefs: 0077F527

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 4=w$CorExitProcess$mscoree.dll
API String ID: 4061214504-3505369049
Opcode ID: 455d1dfb239abc13b10398aa43ea68a54e7ddfa43c427a8c4ccaaa26e53577fb
Instruction ID: 89369e52d010fe0f07515b6287a74109819033918d8cc854d4318012d558a73f
Opcode Fuzzy Hash: 455d1dfb239abc13b10398aa43ea68a54e7ddfa43c427a8c4ccaaa26e53577fb
Instruction Fuzzy Hash: D701D671A80659AFCF119F54DC09FBEBBB8FB04B51F004226F811E2290DB7D9A51CA84

Function 0078D3ED Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966edc1ae83046f8ad5cd67d6d548288510fea8d8194e3dca9f61d6388a8e577
Instruction ID: 07f34ffd6415b159d6094b793a0feb2230ed5344501e1a43c430fddaf6d720c0
Opcode Fuzzy Hash: 966edc1ae83046f8ad5cd67d6d548288510fea8d8194e3dca9f61d6388a8e577
Instruction Fuzzy Hash: 20B12A74E44249EFDF21EF99C884BAD7BB1AF49340F248159E408AB3D2D7789D41CBA0

Function 007788CA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007788C1,00776E81,00776170), ref: 007788D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007788E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007788FF
SetLastError.KERNEL32(00000000,007788C1,00776E81,00776170), ref: 00778951

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ed854c2be5ce3e64667ae0dd181726c0cadf25c0c2addbfdea0ac1d1c040129a
Instruction ID: 0edb2650d791dd0cee99b7dbe8c8c323cf32d34b3cec63b5f24a2c69e37d3ed5
Opcode Fuzzy Hash: ed854c2be5ce3e64667ae0dd181726c0cadf25c0c2addbfdea0ac1d1c040129a
Instruction Fuzzy Hash: 1C01DD3234921BDEAE941AB9FC8EA772744DB017F4320C22AF32C550E1FF5D6C11959A

Function 007789E1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00778AA8
___AdjustPointer.LIBCMT ref: 00778ACB
___AdjustPointer.LIBCMT ref: 00778B67

Strings

4=w, xrefs: 00778A40

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID: 4=w
API String ID: 1740715915-2024421503
Opcode ID: 9d0af9f7bff22dbede3d5cf14bd7ddf332a6acb39dd8ca837279660bafadeecf
Instruction ID: a2f0532444495e367c792e8068b4b5d8690020e760a0ad864f74c080404bc9b0
Opcode Fuzzy Hash: 9d0af9f7bff22dbede3d5cf14bd7ddf332a6acb39dd8ca837279660bafadeecf
Instruction Fuzzy Hash: 4451E2F2A40602DFDF659F14C849BBA77A5FF04390F15C42EE9095A1A1EB39EC41C792

Function 00774FC5 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00774FD9
AcquireSRWLockExclusive.KERNEL32(?), ref: 00774FF8
AcquireSRWLockExclusive.KERNEL32(?), ref: 00775026
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00775081
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00775098

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: e1823e9646a2d9f4da1a0a5579eb13ef1108f673dd799e4fb2edbd4fedae89f8
Instruction ID: a982cf598783c3b24b68b2355d2e2d78300d59731488194c9f3b06d157f120c5
Opcode Fuzzy Hash: e1823e9646a2d9f4da1a0a5579eb13ef1108f673dd799e4fb2edbd4fedae89f8
Instruction Fuzzy Hash: C9415B35500A0ADFCF20DF75C8859AAB3B5FF04390B60C92AD05ED7640E7B9E995CBA1

Function 00772A9F Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00772AAB
int.LIBCPMT ref: 00772ABE

Part of subcall function 0077166A: std::_Lockit::_Lockit.LIBCPMT ref: 0077167B
Part of subcall function 0077166A: std::_Lockit::~_Lockit.LIBCPMT ref: 00771695

std::_Facet_Register.LIBCPMT ref: 00772AF1
std::_Lockit::~_Lockit.LIBCPMT ref: 00772B07
Concurrency::cancel_current_task.LIBCPMT ref: 00772B12

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 8585eecf4f46953d1a06a476673c01e75116e6bf62d5c02cdf72cc84f14a1618
Instruction ID: b80bb3260896510b9f0add4b53363aa32f76a1b87dfe7c9c25a220f06b7baf33
Opcode Fuzzy Hash: 8585eecf4f46953d1a06a476673c01e75116e6bf62d5c02cdf72cc84f14a1618
Instruction Fuzzy Hash: C001F772900114EBCF29AB64C809CAD7778EF847E0B24C555F8199B2A2EF389E02C780

Function 00774C78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,?,?,00772152,?,?,00000000), ref: 00774C84
GetExitCodeThread.KERNEL32(?,00000000,?,?,00772152,?,?,00000000), ref: 00774C9D
CloseHandle.KERNEL32(?,?,?,00772152,?,?,00000000), ref: 00774CAF

Strings

R!w, xrefs: 00774C8F

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: CloseCodeExitHandleObjectSingleThreadWait
String ID: R!w
API String ID: 2551024706-3532116656
Opcode ID: 3d261a3fcf49bc916998e96ae3bb5bc042c03a9b54fad94f58625e22ebcfe511
Instruction ID: e1b45d7db3a3e535566667db3a2710ca439c20fd1a4b442f20d42a4fc2d3541a
Opcode Fuzzy Hash: 3d261a3fcf49bc916998e96ae3bb5bc042c03a9b54fad94f58625e22ebcfe511
Instruction Fuzzy Hash: DBF0E232601215BBDF214F28DC05B993BA8EB007B0F248711F829D62E0D735DD919A90

Function 00779A12 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,007799C3,00000000,00000001,007EDEF4,?,?,?,00779B66,00000004,InitializeCriticalSectionEx,00792C58,InitializeCriticalSectionEx), ref: 00779A1F
GetLastError.KERNEL32(?,007799C3,00000000,00000001,007EDEF4,?,?,?,00779B66,00000004,InitializeCriticalSectionEx,00792C58,InitializeCriticalSectionEx,00000000,?,0077991D), ref: 00779A29
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00778833), ref: 00779A51

Strings

api-ms-, xrefs: 00779A36

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 126ebf9d92f83d24246e483e1370a49b09f22c0a8c3dbf40c3928741b32b4418
Instruction ID: 7936c69d49db65fa0ea0f3d0e77ff909b33350acb9ac0398b9ce540f9cf63ba6
Opcode Fuzzy Hash: 126ebf9d92f83d24246e483e1370a49b09f22c0a8c3dbf40c3928741b32b4418
Instruction Fuzzy Hash: E3E04870381245B7DF106F60EC07F593F559B00B91F51C021FA0CA84E1D76A98A5D585

Function 00785131 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(AB595993,00000000,00000000,00000000), ref: 00785194

Part of subcall function 007875F2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007869BD,?,00000000,-00000008), ref: 0078769E

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007853EF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00785437
GetLastError.KERNEL32 ref: 007854DA

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 7bcb8e4950daf26c37a193424ee47cb58618f7f199b720bc378d31d546f53028
Instruction ID: d23772b9101cf33bf27f2ac26a0baf12e4b718fc5c046dfc5587e51c0d992ef3
Opcode Fuzzy Hash: 7bcb8e4950daf26c37a193424ee47cb58618f7f199b720bc378d31d546f53028
Instruction Fuzzy Hash: 7ED18DB5D046889FCF11DFA8D8809EDBBB5FF09314F28812AE859EB351D734A841CB50

Function 0078ED0F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0078D7AA,00000000,00000001,00000000,00000000,?,0078552E,00000000,00000000,00000000), ref: 0078ED26
GetLastError.KERNEL32(?,0078D7AA,00000000,00000001,00000000,00000000,?,0078552E,00000000,00000000,00000000,00000000,00000000,?,00785AB5,?), ref: 0078ED32

Part of subcall function 0078ECF8: CloseHandle.KERNEL32(FFFFFFFE,0078ED42,?,0078D7AA,00000000,00000001,00000000,00000000,?,0078552E,00000000,00000000,00000000,00000000,00000000), ref: 0078ED08

___initconout.LIBCMT ref: 0078ED42

Part of subcall function 0078ECBA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0078ECE9,0078D797,00000000,?,0078552E,00000000,00000000,00000000,00000000), ref: 0078ECCD

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0078D7AA,00000000,00000001,00000000,00000000,?,0078552E,00000000,00000000,00000000,00000000), ref: 0078ED57

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 560119d4bf863c49f90bdc84088da80875cbaf1cd1f48397304b262589f44af9
Instruction ID: 0e06b8114e6d68acce337a6685d5de6b012c9a2c921702092f6dcd93fbd0671a
Opcode Fuzzy Hash: 560119d4bf863c49f90bdc84088da80875cbaf1cd1f48397304b262589f44af9
Instruction Fuzzy Hash: 40F03036540159BBCF222FA5EC09D9A3F26FB487A1B408012FE1CC5130D7378CA1EBA4

Function 0078F6A3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0078F00F), ref: 0078F6BC

Strings

DPy, xrefs: 0078F851
4=w, xrefs: 0078F786, 0078F830, 0078F876

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: 4=w$DPy
API String ID: 3527080286-4193779498
Opcode ID: 1a45ce1ead788e76d4f470dc47872202cb11658bf6eecccd603994a26c33f670
Instruction ID: 1f81825145cf33dffb89f0022251124e197473eaa781ed39be053c1f7e332e1d
Opcode Fuzzy Hash: 1a45ce1ead788e76d4f470dc47872202cb11658bf6eecccd603994a26c33f670
Instruction Fuzzy Hash: CD519D70940A1ACBDF14AFA9E84C1ADBFB4FF48304F914076D491AA264D77C8A65CF94

Function 007740EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_Fputc.LIBCPMT ref: 007741C7

Strings

4=w, xrefs: 007741A6

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Fputc
String ID: 4=w
API String ID: 3078413507-2024421503
Opcode ID: d397207648d5807dd026d7f6a611cbcbc811bd8161b2f87d01e594e36a52cc6b
Instruction ID: a51b5ebf7976714a43db97ad079abfa57ac1b80b22cbf4c95f838eea06a4e5a9
Opcode Fuzzy Hash: d397207648d5807dd026d7f6a611cbcbc811bd8161b2f87d01e594e36a52cc6b
Instruction Fuzzy Hash: 5A41C53290061EEBCF14EF64C8808EEB7B8FF18394F548056E509A7640EB39ED95CB90

Function 00778FDD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00779002

Strings

RCC, xrefs: 0077901C
MOC, xrefs: 00779014

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 0647603fe84ea490b6396124c0c5b3368deca4b5ef2e127c4743873cd2dbac87
Instruction ID: b8fa0040df5c0b26ef9485f7ffd0c56a4353800e2eca79c86f5ddebe01a55f86
Opcode Fuzzy Hash: 0647603fe84ea490b6396124c0c5b3368deca4b5ef2e127c4743873cd2dbac87
Instruction Fuzzy Hash: C9418F7190120AEFCF16DF98CC85AEEBBB5FF49390F148099FA0867221D3399960DB51

Function 00773352 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0077335E
std::_Lockit::~_Lockit.LIBCPMT ref: 007733BA

Strings

4=w, xrefs: 00773385, 0077339F

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 4=w
API String ID: 593203224-2024421503
Opcode ID: 65d5883c323322d3c373140558a190a4b4f7eba95c70eb6af2eda01c5ebbd001
Instruction ID: 5925f870cf7781e9749497019e0ad79ee1b26ff566a965021ebe37325bc667f3
Opcode Fuzzy Hash: 65d5883c323322d3c373140558a190a4b4f7eba95c70eb6af2eda01c5ebbd001
Instruction Fuzzy Hash: E501B135600219EFCF10DB19C899EAD77B8EF847A0B04809AE4059B371DF74EE46DB90

Function 00771595 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0077159C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 007715D4

Part of subcall function 007733C3: _Yarn.LIBCPMT ref: 007733E2
Part of subcall function 007733C3: _Yarn.LIBCPMT ref: 00773406

Strings

bad locale name, xrefs: 007715E2

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: c593da69493e74040b9b2445eacd987654c7f7327ef3f3eb854f5ea5bb3264bb
Instruction ID: 64f4db13be5b268b7011160aabf3811a07bb856ecb4cea500f4845baf637d045
Opcode Fuzzy Hash: c593da69493e74040b9b2445eacd987654c7f7327ef3f3eb854f5ea5bb3264bb
Instruction Fuzzy Hash: F7F01771505B809E87319F7A9485447FBE4BE29360390CE2FE0DEC3A12D738A504CBAA

Function 00781FCE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 0078200E

Strings

InitializeCriticalSectionEx, xrefs: 00781FDE
4=w, xrefs: 00781FFE

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: 4=w$InitializeCriticalSectionEx
API String ID: 2593887523-2532750098
Opcode ID: 6b1781e28b0a642b5e2e540981c714998e9f214dd2b16b86a2771f2fdbd6667e
Instruction ID: d426ffdc54f1dcd31a3abed0cf2a9b3fba1bbee05bc4fd16b49dbfe31dabace1
Opcode Fuzzy Hash: 6b1781e28b0a642b5e2e540981c714998e9f214dd2b16b86a2771f2fdbd6667e
Instruction Fuzzy Hash: 38E092366C025DB7CF112F55EC09E8E7F15EB04761B408011FD1825161C6BA9973E7E4

Function 00781E51 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00781E85

Strings

FlsAlloc, xrefs: 00781E61
4=w, xrefs: 00781E7B

Memory Dump Source

Source File: 00000000.00000002.2256397991.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000000.00000002.2256370270.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256435689.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256514600.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256544810.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2256568155.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_770000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Alloc
String ID: 4=w$FlsAlloc
API String ID: 2773662609-162422361
Opcode ID: 01d60cd97fe4711fd344fad94e98da9a033025b1e25426f136ee5d74c75451e5
Instruction ID: 9f2f3570f613747a7ec23b6b0571ec67db8e0ec40053d8baec5c2dcf20d5491d
Opcode Fuzzy Hash: 01d60cd97fe4711fd344fad94e98da9a033025b1e25426f136ee5d74c75451e5
Instruction Fuzzy Hash: 2CE0C2766C02A8778A2133A5AC1FD9F7E18CF40B71B844022FE05552429AAD4C5383E9

Analysis Process: SoftWare(2).exePID: 1708, Parent PID: 6096COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	61
Total number of Limit Nodes:	10

Executed Functions

Function 00439D8A Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 307
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 00439AB8
SysAllocString.OLEAUT32(?), ref: 00439B54
VariantInit.OLEAUT32(?), ref: 00439BBF
SysFreeString.OLEAUT32(B5E3B7E1), ref: 00439D1C
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00439D57
VariantClear.OLEAUT32(?), ref: 00439D99
SysFreeString.OLEAUT32(?), ref: 00439DBE
SysFreeString.OLEAUT32(55285730), ref: 00439DC3

Strings

0W(U, xrefs: 00439AD7
~A, xrefs: 00439BD6

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: String$Free$AllocVariant$ClearInformationInitVolume
String ID: 0W(U$~A
API String ID: 4011520403-3841131973
Opcode ID: a8a63e7c56a7cbd72f0607590c6add5ffcb363f6541818aa96f6dc7258db5d93
Instruction ID: f9ccd9820d9b7da06d48d1adae08cbdec15a0621a3fc155e3d55f24cd624be56
Opcode Fuzzy Hash: a8a63e7c56a7cbd72f0607590c6add5ffcb363f6541818aa96f6dc7258db5d93
Instruction Fuzzy Hash: 06B1BDB9600700CFD324CF65DC85B26B7B6FF8A310F188969E4468B7A5D775E842CB54

Function 0043A320 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805618d78dd3bab6080c38942e6646fc2923eccc631d31120460989af68852de
Instruction ID: 8a2acea305d679a54a9b05156e31725b27baeeb6ceb9e84bb500031abd5c9e61
Opcode Fuzzy Hash: 805618d78dd3bab6080c38942e6646fc2923eccc631d31120460989af68852de
Instruction Fuzzy Hash: 3A3127329493244BD3245E398C8037ABA92ABC9334F29972FDDF5873C4D6784C5252C7

Function 0040CAB0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,B92ABB15,004473DA,?,00000000,00000005), ref: 0040CCC9
GetCurrentThreadId.KERNEL32 ref: 0040CCD8
GetInputState.USER32 ref: 0040CCDE
GetCurrentProcessId.KERNEL32(?,00000000,00000005), ref: 0040CCE8
ExitProcess.KERNEL32 ref: 0040CD08

Strings

de, xrefs: 0040CC2C

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExecuteExitInputShellStateThread
String ID: de
API String ID: 288744916-2106599819
Opcode ID: 620b97739e5fa50a3b95fc85534f3a8146ea41deb092a5eb906570f99821ce50
Instruction ID: 231a4e3dab72d40a880b14386fc2d0273c0b4a9cdaa7810594481681083c38e1
Opcode Fuzzy Hash: 620b97739e5fa50a3b95fc85534f3a8146ea41deb092a5eb906570f99821ce50
Instruction Fuzzy Hash: F75199317487004BE7089B39DD5636BBAC29FD5328F18DA3DE581CB3D1EA7C8806874A

Function 00410A50 Relevance: 4.6, APIs: 3, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00410B63
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410B85
CoUninitialize.OLE32 ref: 00410BA4

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Initialize$SecurityUninitialize
String ID:
API String ID: 3757020523-0
Opcode ID: 08a4fdebc312702e31e1d73f6f4ef979ff0ccac680f27421a0fe7b7824947942
Instruction ID: c3d2132f3ee0f8c055cd55bf8eb2c13e4520440c92d50af80f4c7c815d5d1c9d
Opcode Fuzzy Hash: 08a4fdebc312702e31e1d73f6f4ef979ff0ccac680f27421a0fe7b7824947942
Instruction Fuzzy Hash: 71414CB4D10B00ABD730AF3D9D0B7567EA4AB02620F50472DF9F69A6D4E630A4198BD7

Function 00439DF7 Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00439E07
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00439E1D

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 5d623c569c5d89708920278ea50d859ed3bcad267309eb0339f2e967b318bda0
Instruction ID: b256e9a92b817ec27e28fb1b19f637e0688ff0f51c8eb060050e2b92562f49b2
Opcode Fuzzy Hash: 5d623c569c5d89708920278ea50d859ed3bcad267309eb0339f2e967b318bda0
Instruction Fuzzy Hash: 04E0C234BC4310BBF6321B14EC57F043669A716F42F204060B3117C4E486E126159A0D

Function 00440598 Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 00440598
GetForegroundWindow.USER32 ref: 004405A7

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a0b4477ad36a7f248a5341c477f37309fa23a07267384f539110048d88ff45f3
Instruction ID: 2274dcb3df4fc9a412349044b75870bee68c7137ac83f524f1f755fc4c1b171f
Opcode Fuzzy Hash: a0b4477ad36a7f248a5341c477f37309fa23a07267384f539110048d88ff45f3
Instruction Fuzzy Hash: EAD017FAE054309FDB00AB98ED0545E7320AF8A2093164164E90227265DB382D168AEA

Function 0043D2C2 Relevance: 1.6, APIs: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043D358

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b9a1f6b89f9255339ae15f9a463dab4acaa4e082290182b98a674a94e4401300
Instruction ID: 467d2285e180ff4032b91535d20228d5128da220be5acf6476c3b294377462ac
Opcode Fuzzy Hash: b9a1f6b89f9255339ae15f9a463dab4acaa4e082290182b98a674a94e4401300
Instruction Fuzzy Hash: 91019C363883108FD3055A5CECD27D677D4D76B224F040878DA89833A2C16D9C4B9791

Function 004397EF Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(000000C8), ref: 00439855

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 03a4db25a36bfc41791a542ae7c616e5b2ca9a5a9fa007faa3193d1a0535cb28
Instruction ID: f31a2d953b6e5162024a9805649b5b636655f1532d82c63f9bfceabda5f52aaf
Opcode Fuzzy Hash: 03a4db25a36bfc41791a542ae7c616e5b2ca9a5a9fa007faa3193d1a0535cb28
Instruction Fuzzy Hash: 740168342012405FC356DB38C8A8BA637E1EB5A204B1C48A8E982CF786CB38A802CB40

Function 0043F9C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00442BC0,005C003F,00000006,?,?,00000018,?,?,?), ref: 0043F9EE

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0043D29B Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043D2A0

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3d18ee4376bf2d824f38acead0c9f5744e9de16da2102177375212aea85279d7
Instruction ID: 6591ed9e1d0ea3b549b980b9e15e42657e415fa3f309ff60b583f711f0ad84c7
Opcode Fuzzy Hash: 3d18ee4376bf2d824f38acead0c9f5744e9de16da2102177375212aea85279d7
Instruction Fuzzy Hash: 8AB09236A442099AEE102B84FC097D8B720FB8022AF2000B2E21C960A2C2329527DB94

Non-executed Functions

Function 00426330 Relevance: 26.7, APIs: 2, Strings: 13, Instructions: 457COMMON

Download Yara Rule

Strings

Q#U-, xrefs: 00426613
^+A5, xrefs: 00426623
E;YE, xrefs: 00426643
4G6A, xrefs: 0042664B
=ChM, xrefs: 00426653
[/Q), xrefs: 0042661B
E#A%, xrefs: 004268D2
LO, xrefs: 0042665B
M?H9, xrefs: 0042663B
yK, xrefs: 00426344
Y7U1, xrefs: 0042662B
fB, xrefs: 004266B9
Y'K!, xrefs: 0042660B

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID:
String ID: 4G6A$=ChM$E#A%$E;YE$LO$M?H9$Q#U-$Y'K!$Y7U1$[/Q)$^+A5$yK$fB
API String ID: 0-2549420
Opcode ID: 02929bccbff9db02e6b5564eed485790da5832b0c13f742a4c14557ef649f99c
Instruction ID: 22fb139d8a3be79b82da9622f5cd62bff9187e932866e5a307260ffa6ff92d44
Opcode Fuzzy Hash: 02929bccbff9db02e6b5564eed485790da5832b0c13f742a4c14557ef649f99c
Instruction Fuzzy Hash: 32F1BAB45083419BD314CF25E89462BBBF1FF92758F448A2DF4999B250E778C905CB8B

Function 00434890 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 121clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004348A4
GetWindowLongW.USER32 ref: 004348D3
GetClipboardData.USER32 ref: 004348E3
CloseClipboard.USER32 ref: 00434A11

Strings

-, xrefs: 00434958
', xrefs: 0043496C
", xrefs: 00434967
&, xrefs: 0043494E
', xrefs: 00434944
, xrefs: 00434971

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: $"$&$'$'$-
API String ID: 1647500905-2671916629
Opcode ID: 25f4185c06dce3e19daa06021bd339f8e185a1bc28b795b466b73c6e5b615342
Instruction ID: 4756ef427f1fa0668dbcce1bb479ecc39e6fe38769b24ebdf32592f2623dad5c
Opcode Fuzzy Hash: 25f4185c06dce3e19daa06021bd339f8e185a1bc28b795b466b73c6e5b615342
Instruction Fuzzy Hash: 2541C07150C3918FD300AF7C98493AFBFD09F96318F141A2EE4D546382D279954A87AB

Function 0078AA80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,00000008,00783F2B), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000,0079A378,00000024,0077C1E3), ref: 007828D4

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0078AB8C
IsValidCodePage.KERNEL32(00000000), ref: 0078ABD5
IsValidLocale.KERNEL32(?,00000001), ref: 0078ABE4
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0078AC2C
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0078AC4B

Strings

L]y, xrefs: 0078AAE5

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: L]y
API String ID: 415426439-2685224759
Opcode ID: 2e52cb5103c5996df5588a4f00a0302543a030ef6732327f827d5e6c09967750
Instruction ID: e574b55578ef2335807c27eb35cfaf59133b179ada0115787bc92cff314114ed
Opcode Fuzzy Hash: 2e52cb5103c5996df5588a4f00a0302543a030ef6732327f827d5e6c09967750
Instruction Fuzzy Hash: 9851A2B1A80209BFEF11EFA9CC45EAE77B9AF04700F04446BA505E7191E7789941CB62

Function 0078A11C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0078282E: GetLastError.KERNEL32(?,00000008,00783F2B), ref: 00782832
Part of subcall function 0078282E: SetLastError.KERNEL32(00000000,0079A378,00000024,0077C1E3), ref: 007828D4

GetACP.KERNEL32(?,?,?,?,?,?,0077FDE0,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0078A1DD
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0077FDE0,?,?,?,00000055,?,-00000050,?,?), ref: 0078A208
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0078A36B

Strings

utf8, xrefs: 0078A2DA
L]y, xrefs: 0078A15E

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: L]y$utf8
API String ID: 607553120-1438822892
Opcode ID: 2beb104ee1e3ee2f1f92cd63f76beba2590c0642da375efe96a6692e708b7543
Instruction ID: 4d6301718df969c4320c357c27071f753632c2da45d7708dad6cbfff18bb0ca0
Opcode Fuzzy Hash: 2beb104ee1e3ee2f1f92cd63f76beba2590c0642da375efe96a6692e708b7543
Instruction Fuzzy Hash: 9371D571A80206FBEB25BB75DC4ABA673A8EF44710F14402BE605D7181FB7CE941C7A2

Function 0042AB2D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,19DC1BD1,00000000), ref: 0042AC35
CopyFileW.KERNEL32(?,19DC1BD1,00000000), ref: 0042AD14

Strings

JY, xrefs: 0042AC58
UP, xrefs: 0042AC50
EN, xrefs: 0042AC60

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: CopyFile
String ID: EN$JY$UP
API String ID: 1304948518-605324858
Opcode ID: e97db5fc327c92950db94cf92f55aaf8cb91242ed17c308ddec2f55a6639e185
Instruction ID: 184eee9a6f49948121e519562c5c8c6fe662c1a0d4d77d0fffff5943e82e6bc8
Opcode Fuzzy Hash: e97db5fc327c92950db94cf92f55aaf8cb91242ed17c308ddec2f55a6639e185
Instruction Fuzzy Hash: DA512379419394CFE310DF20C88461FBBE1FB96304F4489ACE9845B265EBB98906CBC6

Function 0078A8AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0078ABC9,00000002,00000000,?,?,?,0078ABC9,?,00000000), ref: 0078A944
GetLocaleInfoW.KERNEL32(?,20001004,0078ABC9,00000002,00000000,?,?,?,0078ABC9,?,00000000), ref: 0078A96D
GetACP.KERNEL32(?,?,0078ABC9,?,00000000), ref: 0078A982

Strings

ACP, xrefs: 0078A8C9
OCP, xrefs: 0078A8FF

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 082358dbb7a97bbcd9687de8a958f66cf9f796031367e094d0f6d6822a94e35e
Instruction ID: 39f6cb47417a243fcd9d58ac0f62c50e9b27a5535d2ade89534d550d90999a5f
Opcode Fuzzy Hash: 082358dbb7a97bbcd9687de8a958f66cf9f796031367e094d0f6d6822a94e35e
Instruction Fuzzy Hash: 7B21F822684102B6FB35AF54D801AA773A7AB64B60B57C026E90AD7100F73AED81C362

Function 00782D9D Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00782E2A

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 02312408630170b3c25dee6112d7f3f8a09a7014db778087c09366575c92c367
Instruction ID: 3b28c51fdfd84aaca524ef25c381723d8a4553958f59bbfa574a2a27434e2827
Opcode Fuzzy Hash: 02312408630170b3c25dee6112d7f3f8a09a7014db778087c09366575c92c367
Instruction Fuzzy Hash: 3BB13832A442559FDB15EF68C885BFEBBB5EF55310F14816AE905AB242D23C9D02CBA0

Function 00771FEA Relevance: 6.2, APIs: 4, Instructions: 153threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00772138
GetConsoleWindow.KERNEL32(00000001), ref: 00772167
ShowWindow.USER32(00000000), ref: 0077216E
std::_Throw_Cpp_error.LIBCPMT ref: 0077218D

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: Window$ConsoleCpp_errorCurrentShowThreadThrow_std::_
String ID:
API String ID: 3913708665-0
Opcode ID: 6723c71da2918eae0276d08fcb2a422e22043021f1023b9189cb0c94b7b3e501
Instruction ID: 0753138a25edfdbd2616b157a3db03b18d09aa97562980bc6833a8b737a951d0
Opcode Fuzzy Hash: 6723c71da2918eae0276d08fcb2a422e22043021f1023b9189cb0c94b7b3e501
Instruction Fuzzy Hash: 9541E23290021AABDF1466758C46BAFBA59FB447D0F80C122F72E971D2E73C4643C3A5

Function 00775F93 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00775F9F
IsDebuggerPresent.KERNEL32 ref: 0077606B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00776084
UnhandledExceptionFilter.KERNEL32(?), ref: 0077608E

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a66545f30332968e70502fff4aa1d5db78371bdc0b0f9aef3067eba6c49ba413
Instruction ID: 1f066b6995fafb2014b079438d0d7d1806f45c27677bd8831131e3019590cef3
Opcode Fuzzy Hash: a66545f30332968e70502fff4aa1d5db78371bdc0b0f9aef3067eba6c49ba413
Instruction Fuzzy Hash: C3312375D01219DBDF21DFA4D849BCDBBB8BF08340F0081AAE40CAB250EB759A858F45

Function 00771AC2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00772B18: __EH_prolog3_catch.LIBCMT ref: 00772B1F

_Deallocate.LIBCONCRT ref: 00771C9D
_Deallocate.LIBCONCRT ref: 00771CEA

Strings

Current val: %d, xrefs: 00771C76

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: Deallocate$H_prolog3_catch
String ID: Current val: %d
API String ID: 1212816977-1825967858
Opcode ID: 039c05c3fba636b48b8683b418e7187368da0260861c502fa0cd2dcb72e156f6
Instruction ID: 165a54a09ac655d3958bf4875ba0dabdd66fcb289b7f59ae1f39e272a390fa26
Opcode Fuzzy Hash: 039c05c3fba636b48b8683b418e7187368da0260861c502fa0cd2dcb72e156f6
Instruction Fuzzy Hash: 8E61CFB251C3448FC720DF29D48026BFBE0AFC8754F558A2EF9D893252D739D9048B92

Function 0043558E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004355C8
GetSystemMetrics.USER32 ref: 004355D7

Strings

, xrefs: 00435682

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: e2876d2b5bdc6cdf6ada9f920f049300c611385dd03e22802a7375746016042b
Instruction ID: bdb8cf69bf876bf175a14c5de62bcad103ce2e33e6cc0c8c2d618f5fcdea42c8
Opcode Fuzzy Hash: e2876d2b5bdc6cdf6ada9f920f049300c611385dd03e22802a7375746016042b
Instruction Fuzzy Hash: 9231ADB49183009FDB00EF6CD98461EBBF4BB89304F01892DE488DB365D770A949CF86

Function 00425020 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00446A60,00000000,00000001,00446A50), ref: 00425049

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: bb45eb4e653631ce16f4ccb15df136c367e83ae5f98d0e9e191a52bed8c9b3b2
Instruction ID: d0d6746d253a51dc3f7e786193e033542b3eacddf4d4108d9e7985252502e115
Opcode Fuzzy Hash: bb45eb4e653631ce16f4ccb15df136c367e83ae5f98d0e9e191a52bed8c9b3b2
Instruction Fuzzy Hash: B251BFB1700624ABDB209B24DC96B7733B4EF82368F448559F986CB391E379D901C76A

Function 00433D56 Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00433DD5

Strings

q, xrefs: 00433E30
y, xrefs: 00433E70
m, xrefs: 00433ED0
Q, xrefs: 00433F30
G, xrefs: 00433F80
Y, xrefs: 00433F70
/, xrefs: 00433D81
0, xrefs: 00434096
-, xrefs: 00433D77
W, xrefs: 00433F00
e, xrefs: 00433E90
s, xrefs: 00433E20
c, xrefs: 00433EA0
i, xrefs: 00433EF0
3, xrefs: 00433D6D
], xrefs: 00433F50
., xrefs: 00433D7C
{, xrefs: 00433E60
?, xrefs: 00433E18
a, xrefs: 00433EB0
[, xrefs: 00433F60
,, xrefs: 00433E58
1, xrefs: 00433D63
A, xrefs: 00433FB0
E, xrefs: 00433F90
O, xrefs: 00433FC0
S, xrefs: 00433F20
_, xrefs: 00433F40
?, xrefs: 00433E28
w, xrefs: 00433E00
o, xrefs: 00433EC0
C, xrefs: 00433FA0
}, xrefs: 00433E50
,, xrefs: 00433E78
k, xrefs: 00433EE0
U, xrefs: 00433F10
u, xrefs: 00433E10
M, xrefs: 00433FD0
-, xrefs: 00433EC8
L, xrefs: 00433FC8
g, xrefs: 00433E80
;, xrefs: 00433DF8

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: AllocString
String ID: ,$,$-$-$.$/$0$1$3$;$?$?$A$C$E$G$L$M$O$Q$S$U$W$Y$[$]$_$a$c$e$g$i$k$m$o$q$s$u$w$y${$}
API String ID: 2525500382-3634551771
Opcode ID: ca391d98c9dccdced69f4d7401e39fe691b8e05483432592da91970a19eecc4a
Instruction ID: 4fc45ee97560e479e0cc484ca65c4e41e9dbda81c931abe5ff8b62bc7f6a1b73
Opcode Fuzzy Hash: ca391d98c9dccdced69f4d7401e39fe691b8e05483432592da91970a19eecc4a
Instruction Fuzzy Hash: 0591E92050C7C18DE332963C885979BBED16BA7228F184A9DD4EC8B3D3C7B94549C767

Function 0077516A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00775170
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0077517E
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0077518F
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 007751A0

Strings

GetCurrentPackageId, xrefs: 00775178
kernel32.dll, xrefs: 0077516B
GetSystemTimePreciseAsFileTime, xrefs: 00775184
GetTempPath2W, xrefs: 00775195

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 8bcfaf172e376eb24d89f050d76e01e127be8d93f6ff66ba694266604cd4623d
Instruction ID: 33d4d9ff41b92d45f6d786d5dfb7553fd8546622954663b679f997ed46a8e409
Opcode Fuzzy Hash: 8bcfaf172e376eb24d89f050d76e01e127be8d93f6ff66ba694266604cd4623d
Instruction Fuzzy Hash: 37E046F1A866D9AB8B106F79BC088553BA9AA092803018116F600C6268E27D08668B5C

Function 007786D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00778707
___except_validate_context_record.LIBVCRUNTIME ref: 0077870F
_ValidateLocalCookies.LIBCMT ref: 00778798
__IsNonwritableInCurrentImage.LIBCMT ref: 007787C3
_ValidateLocalCookies.LIBCMT ref: 00778818

Strings

4=w, xrefs: 007787DC
csm, xrefs: 007787AD

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: 4=w$csm
API String ID: 1170836740-1306970713
Opcode ID: 9f24ce710233bfe1312daf386e746898819ee971223ec82b3c05cdcaf8e5ee2c
Instruction ID: a26b513a54d0729c138497cdc6a7d390d2a4e271dc2d320e2a80454e258a12c0
Opcode Fuzzy Hash: 9f24ce710233bfe1312daf386e746898819ee971223ec82b3c05cdcaf8e5ee2c
Instruction Fuzzy Hash: C541E834A40208EFCF14DF68C889A9E7BB5AF05354F24C155E91D9B352DB399A11CBD2

Function 007735FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00773603
std::_Lockit::_Lockit.LIBCPMT ref: 0077360D
int.LIBCPMT ref: 00773624

Part of subcall function 0077166A: std::_Lockit::_Lockit.LIBCPMT ref: 0077167B
Part of subcall function 0077166A: std::_Lockit::~_Lockit.LIBCPMT ref: 00771695

std::_Facet_Register.LIBCPMT ref: 0077365E
std::_Lockit::~_Lockit.LIBCPMT ref: 0077367E
Concurrency::cancel_current_task.LIBCPMT ref: 0077368B

Strings

4=w, xrefs: 0077366B

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: 4=w
API String ID: 55977855-2024421503
Opcode ID: 799a44bcc459472659476dc3dd887340586e68121db06c05892b12b1a93d4032
Instruction ID: 0e338dc1d52cc18ce482562fb3e5d35f67b369df3b319320952e11e7e85abf5d
Opcode Fuzzy Hash: 799a44bcc459472659476dc3dd887340586e68121db06c05892b12b1a93d4032
Instruction Fuzzy Hash: A511E171900215EFCF04EB68D8497AE77B4EF447A0F60841AE409AB391DFBC9E018791

Function 00778C38 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00778D57
___TypeMatch.LIBVCRUNTIME ref: 00778E65
CallUnexpected.LIBVCRUNTIME ref: 00778FD2

Strings

csm, xrefs: 00778D8E
csm, xrefs: 00778C75
csm, xrefs: 00778CE2

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: b62d7e2d12b46bcac47d6015065f5aa61d983bf5acb85d4b3afc52e7b34a28b9
Instruction ID: 0765ddde1795ba015fbecd352a28947b59b1218d3e8db319d13369adc39133a3
Opcode Fuzzy Hash: b62d7e2d12b46bcac47d6015065f5aa61d983bf5acb85d4b3afc52e7b34a28b9
Instruction Fuzzy Hash: 92B1A031D40209DFCF64DFA4C8499AEBBB6FF14390F148159F9186B242DB78DA11CB92

Function 00781C2F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00781D3C,?,?,00000000,00000000,?,?,00781F2A,00000021,FlsSetValue,00794A04,00794A0C,00000000), ref: 00781CF0

Strings

api-ms-, xrefs: 00781C86
ext-ms-, xrefs: 00781C9A

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 9a8413be067bde4e919a80d3ff232ec992d6902b577582a7a62b9e5b2c2fce5a
Instruction ID: 423e30b295b8f6df1262515f8bac793550a83ffb948bdf69f722cf2bbd8fdd98
Opcode Fuzzy Hash: 9a8413be067bde4e919a80d3ff232ec992d6902b577582a7a62b9e5b2c2fce5a
Instruction Fuzzy Hash: 25210271AC1251ABCB21AB25AC55EAA376C9B01760B610621E915A7290D639ED03C7E0

Function 007732C5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007732CC
std::_Lockit::_Lockit.LIBCPMT ref: 007732D7
std::locale::_Setgloballocale.LIBCPMT ref: 007732F2
_Yarn.LIBCPMT ref: 00773308
std::_Lockit::~_Lockit.LIBCPMT ref: 00773345

Strings

4=w, xrefs: 00773314, 00773338

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_SetgloballocaleYarnstd::locale::_
String ID: 4=w
API String ID: 156189095-2024421503
Opcode ID: 8095a09791da7ff5de8c2dc8594d3cb1f977e115182df6ddc4fb97c454a4fbf2
Instruction ID: c6bc4d252eae3396c224fa8fa55a106b1102bb2de6f60761448a3f09711d968a
Opcode Fuzzy Hash: 8095a09791da7ff5de8c2dc8594d3cb1f977e115182df6ddc4fb97c454a4fbf2
Instruction Fuzzy Hash: BD01DF71A00251DBCF0AEB60D89997C7BA1FF89790B14C00AE8095B391CF7C6E42DBC5

Function 0077F4E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,0079060C,000000FF,?,0077F478,0077F5A8,?,0077F44C,00000000), ref: 0077F51D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0077F52F
FreeLibrary.KERNEL32(00000000,?,?,00000000,0079060C,000000FF,?,0077F478,0077F5A8,?,0077F44C,00000000), ref: 0077F551

Strings

4=w, xrefs: 0077F540
CorExitProcess, xrefs: 0077F527
mscoree.dll, xrefs: 0077F516

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 4=w$CorExitProcess$mscoree.dll
API String ID: 4061214504-3505369049
Opcode ID: 455d1dfb239abc13b10398aa43ea68a54e7ddfa43c427a8c4ccaaa26e53577fb
Instruction ID: 89369e52d010fe0f07515b6287a74109819033918d8cc854d4318012d558a73f
Opcode Fuzzy Hash: 455d1dfb239abc13b10398aa43ea68a54e7ddfa43c427a8c4ccaaa26e53577fb
Instruction Fuzzy Hash: D701D671A80659AFCF119F54DC09FBEBBB8FB04B51F004226F811E2290DB7D9A51CA84

Function 0078D3ED Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a392990563ba042b946d7fa490120f0f720f0b1efd693034b90d2f2d6060a4
Instruction ID: 07f34ffd6415b159d6094b793a0feb2230ed5344501e1a43c430fddaf6d720c0
Opcode Fuzzy Hash: f4a392990563ba042b946d7fa490120f0f720f0b1efd693034b90d2f2d6060a4
Instruction Fuzzy Hash: 20B12A74E44249EFDF21EF99C884BAD7BB1AF49340F248159E408AB3D2D7789D41CBA0

Function 007788CA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007788C1,00776E81,00776170), ref: 007788D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007788E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007788FF
SetLastError.KERNEL32(00000000,007788C1,00776E81,00776170), ref: 00778951

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ed854c2be5ce3e64667ae0dd181726c0cadf25c0c2addbfdea0ac1d1c040129a
Instruction ID: 0edb2650d791dd0cee99b7dbe8c8c323cf32d34b3cec63b5f24a2c69e37d3ed5
Opcode Fuzzy Hash: ed854c2be5ce3e64667ae0dd181726c0cadf25c0c2addbfdea0ac1d1c040129a
Instruction Fuzzy Hash: 1C01DD3234921BDEAE941AB9FC8EA772744DB017F4320C22AF32C550E1FF5D6C11959A

Function 007789E1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00778AA8
___AdjustPointer.LIBCMT ref: 00778ACB
___AdjustPointer.LIBCMT ref: 00778B67

Strings

4=w, xrefs: 00778A40

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: AdjustPointer
String ID: 4=w
API String ID: 1740715915-2024421503
Opcode ID: 7bc7b132094e661b0ab84f912dfc9c09e596936d7d7b5443d298e4374c7c835a
Instruction ID: a2f0532444495e367c792e8068b4b5d8690020e760a0ad864f74c080404bc9b0
Opcode Fuzzy Hash: 7bc7b132094e661b0ab84f912dfc9c09e596936d7d7b5443d298e4374c7c835a
Instruction Fuzzy Hash: 4451E2F2A40602DFDF659F14C849BBA77A5FF04390F15C42EE9095A1A1EB39EC41C792

Function 00432C4C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00432C52

Strings

u, xrefs: 00432C8C
v, xrefs: 00432C7C
l, xrefs: 00432C74
v, xrefs: 00432C94

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: l$u$v$v
API String ID: 1927566239-1272432724
Opcode ID: 3d09af986965fa8269b4e453122e4f53ed5f63cd191a6f17a1b068d429b14f0c
Instruction ID: f4dcb3389802090c0551e056560584a0b0a6e7021af8dcd3ff8d0a199bafa594
Opcode Fuzzy Hash: 3d09af986965fa8269b4e453122e4f53ed5f63cd191a6f17a1b068d429b14f0c
Instruction Fuzzy Hash: D1315E70208B818FD7218F3CC895756BFE1AB96214F18C6ADD4EA4F3D6C6799406C762

Function 00431D64 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00431D6F

Strings

l, xrefs: 00431D97
v, xrefs: 00431DB7
u, xrefs: 00431DAF
v, xrefs: 00431D9F

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: l$u$v$v
API String ID: 1927566239-1272432724
Opcode ID: b9c0fe8cd45cafde75fba57dbc613099f783d5f054f40d6b68ff1ace05d0bec9
Instruction ID: a6c15116f9fe3207fd6265cf7aafe90e72b6c1e75954648c677e0225806886da
Opcode Fuzzy Hash: b9c0fe8cd45cafde75fba57dbc613099f783d5f054f40d6b68ff1ace05d0bec9
Instruction Fuzzy Hash: 9F313C70208B818FD721CF3CC895756BFD1AB96224F18C6ADD4EA8F3D7C27994068762

Function 00774FC5 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00774FD9
AcquireSRWLockExclusive.KERNEL32(?), ref: 00774FF8
AcquireSRWLockExclusive.KERNEL32(?), ref: 00775026
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00775081
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00775098

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: e1823e9646a2d9f4da1a0a5579eb13ef1108f673dd799e4fb2edbd4fedae89f8
Instruction ID: a982cf598783c3b24b68b2355d2e2d78300d59731488194c9f3b06d157f120c5
Opcode Fuzzy Hash: e1823e9646a2d9f4da1a0a5579eb13ef1108f673dd799e4fb2edbd4fedae89f8
Instruction Fuzzy Hash: C9415B35500A0ADFCF20DF75C8859AAB3B5FF04390B60C92AD05ED7640E7B9E995CBA1

Function 00772A9F Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00772AAB
int.LIBCPMT ref: 00772ABE

Part of subcall function 0077166A: std::_Lockit::_Lockit.LIBCPMT ref: 0077167B
Part of subcall function 0077166A: std::_Lockit::~_Lockit.LIBCPMT ref: 00771695

std::_Facet_Register.LIBCPMT ref: 00772AF1
std::_Lockit::~_Lockit.LIBCPMT ref: 00772B07
Concurrency::cancel_current_task.LIBCPMT ref: 00772B12

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 8585eecf4f46953d1a06a476673c01e75116e6bf62d5c02cdf72cc84f14a1618
Instruction ID: b80bb3260896510b9f0add4b53363aa32f76a1b87dfe7c9c25a220f06b7baf33
Opcode Fuzzy Hash: 8585eecf4f46953d1a06a476673c01e75116e6bf62d5c02cdf72cc84f14a1618
Instruction Fuzzy Hash: C001F772900114EBCF29AB64C809CAD7778EF847E0B24C555F8199B2A2EF389E02C780

Function 00779EBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(?,?,00779D5F,00000000,00000000,?), ref: 00779F04
GetLastError.KERNEL32(?,00772129,00000000,00000000,00772C5B,00000000,00000000), ref: 00779F10
__dosmaperr.LIBCMT ref: 00779F17

Strings

[,w, xrefs: 00779F2C

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID: [,w
API String ID: 2744730728-1761122162
Opcode ID: fab9639f8b8767c09adc53ad552ccae6b0b31124d0cc896049348a101eb87c66
Instruction ID: 98ebc71b370d1a72eb5f37c3166f87aea42deac091bd485c5aeb761ff39b33d5
Opcode Fuzzy Hash: fab9639f8b8767c09adc53ad552ccae6b0b31124d0cc896049348a101eb87c66
Instruction Fuzzy Hash: 8701B172512209EFDF159FA0DC0AAEE7B64EF043A0F10C159FA0996150DB79CD90DB90

Function 00774C78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,?,?,00772152,?,?,00000000), ref: 00774C84
GetExitCodeThread.KERNEL32(?,00000000,?,?,00772152,?,?,00000000), ref: 00774C9D
CloseHandle.KERNEL32(?,?,?,00772152,?,?,00000000), ref: 00774CAF

Strings

R!w, xrefs: 00774C8F

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: CloseCodeExitHandleObjectSingleThreadWait
String ID: R!w
API String ID: 2551024706-3532116656
Opcode ID: 3d261a3fcf49bc916998e96ae3bb5bc042c03a9b54fad94f58625e22ebcfe511
Instruction ID: e1b45d7db3a3e535566667db3a2710ca439c20fd1a4b442f20d42a4fc2d3541a
Opcode Fuzzy Hash: 3d261a3fcf49bc916998e96ae3bb5bc042c03a9b54fad94f58625e22ebcfe511
Instruction Fuzzy Hash: DBF0E232601215BBDF214F28DC05B993BA8EB007B0F248711F829D62E0D735DD919A90

Function 00779A12 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,007799C3,00000000,?,007EDEF4,?,?,?,00779B66,00000004,InitializeCriticalSectionEx,00792C58,InitializeCriticalSectionEx), ref: 00779A1F
GetLastError.KERNEL32(?,007799C3,00000000,?,007EDEF4,?,?,?,00779B66,00000004,InitializeCriticalSectionEx,00792C58,InitializeCriticalSectionEx,00000000,?,0077991D), ref: 00779A29
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00779A51

Strings

api-ms-, xrefs: 00779A36

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 126ebf9d92f83d24246e483e1370a49b09f22c0a8c3dbf40c3928741b32b4418
Instruction ID: 7936c69d49db65fa0ea0f3d0e77ff909b33350acb9ac0398b9ce540f9cf63ba6
Opcode Fuzzy Hash: 126ebf9d92f83d24246e483e1370a49b09f22c0a8c3dbf40c3928741b32b4418
Instruction Fuzzy Hash: E3E04870381245B7DF106F60EC07F593F559B00B91F51C021FA0CA84E1D76A98A5D585

Function 00785131 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,016E13CA), ref: 00785194

Part of subcall function 007875F2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007869BD,?,00000000,-00000008), ref: 0078769E

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007853EF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00785437
GetLastError.KERNEL32 ref: 007854DA

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 7bcb8e4950daf26c37a193424ee47cb58618f7f199b720bc378d31d546f53028
Instruction ID: d23772b9101cf33bf27f2ac26a0baf12e4b718fc5c046dfc5587e51c0d992ef3
Opcode Fuzzy Hash: 7bcb8e4950daf26c37a193424ee47cb58618f7f199b720bc378d31d546f53028
Instruction Fuzzy Hash: 7ED18DB5D046889FCF11DFA8D8809EDBBB5FF09314F28812AE859EB351D734A841CB50

Function 0078ED0F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,0078D7AA,00000000,00000001,00000000,016E13CA,?,0078552E,016E13CA,00000000,00000000), ref: 0078ED26
GetLastError.KERNEL32(?,0078D7AA,00000000,00000001,00000000,016E13CA,?,0078552E,016E13CA,00000000,00000000,016E13CA,016E13CA,?,00785AB5,00000000), ref: 0078ED32

Part of subcall function 0078ECF8: CloseHandle.KERNEL32(FFFFFFFE,0078ED42,?,0078D7AA,00000000,00000001,00000000,016E13CA,?,0078552E,016E13CA,00000000,00000000,016E13CA,016E13CA), ref: 0078ED08

___initconout.LIBCMT ref: 0078ED42

Part of subcall function 0078ECBA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0078ECE9,0078D797,016E13CA,?,0078552E,016E13CA,00000000,00000000,016E13CA), ref: 0078ECCD

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,0078D7AA,00000000,00000001,00000000,016E13CA,?,0078552E,016E13CA,00000000,00000000,016E13CA), ref: 0078ED57

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 560119d4bf863c49f90bdc84088da80875cbaf1cd1f48397304b262589f44af9
Instruction ID: 0e06b8114e6d68acce337a6685d5de6b012c9a2c921702092f6dcd93fbd0671a
Opcode Fuzzy Hash: 560119d4bf863c49f90bdc84088da80875cbaf1cd1f48397304b262589f44af9
Instruction Fuzzy Hash: 40F03036540159BBCF222FA5EC09D9A3F26FB487A1B408012FE1CC5130D7378CA1EBA4

Function 0078F6A3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0078F00F), ref: 0078F6BC

Strings

4=w, xrefs: 0078F786, 0078F830, 0078F876
DPy, xrefs: 0078F851

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: DecodePointer
String ID: 4=w$DPy
API String ID: 3527080286-4193779498
Opcode ID: 88eddba8e07fc41bb070f5dc2b772663e89b5e54734881dc6e6c17edcefe24ac
Instruction ID: 1f81825145cf33dffb89f0022251124e197473eaa781ed39be053c1f7e332e1d
Opcode Fuzzy Hash: 88eddba8e07fc41bb070f5dc2b772663e89b5e54734881dc6e6c17edcefe24ac
Instruction Fuzzy Hash: CD519D70940A1ACBDF14AFA9E84C1ADBFB4FF48304F914076D491AA264D77C8A65CF94

Function 0077EC81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

~, xrefs: 0077ECE3
~, xrefs: 0077ECBF

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID:
String ID: ~$~
API String ID: 0-2300608268
Opcode ID: 4c4a5e948d3c79b192e40cb83ec9aeb74590e32454d8f7da9a4a375905743af3
Instruction ID: 3f929940480aee28f5dc8e4543695b6e2eb0b42cad82ed95c573b9a0b83d39ca
Opcode Fuzzy Hash: 4c4a5e948d3c79b192e40cb83ec9aeb74590e32454d8f7da9a4a375905743af3
Instruction Fuzzy Hash: BD31F975A01258EBDF21EF58CCC59DE7BBDEB4D390B51C0B6F409A7251D6788E408BA0

Function 007740EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_Fputc.LIBCPMT ref: 007741C7

Strings

4=w, xrefs: 007741A6

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: Fputc
String ID: 4=w
API String ID: 3078413507-2024421503
Opcode ID: d397207648d5807dd026d7f6a611cbcbc811bd8161b2f87d01e594e36a52cc6b
Instruction ID: a51b5ebf7976714a43db97ad079abfa57ac1b80b22cbf4c95f838eea06a4e5a9
Opcode Fuzzy Hash: d397207648d5807dd026d7f6a611cbcbc811bd8161b2f87d01e594e36a52cc6b
Instruction Fuzzy Hash: 5A41C53290061EEBCF14EF64C8808EEB7B8FF18394F548056E509A7640EB39ED95CB90

Function 00778FDD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00779002

Strings

RCC, xrefs: 0077901C
MOC, xrefs: 00779014

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 263c8565e2c7b9d46377aff4bb954751fad0dc13f656156a3e2b09cb62743be0
Instruction ID: b8fa0040df5c0b26ef9485f7ffd0c56a4353800e2eca79c86f5ddebe01a55f86
Opcode Fuzzy Hash: 263c8565e2c7b9d46377aff4bb954751fad0dc13f656156a3e2b09cb62743be0
Instruction Fuzzy Hash: C9418F7190120AEFCF16DF98CC85AEEBBB5FF49390F148099FA0867221D3399960DB51

Function 004356F2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043573D
GetSystemMetrics.USER32 ref: 0043574C

Strings

, xrefs: 00435820

Memory Dump Source

Source File: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare(2).jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: ec691425831c759be9fa0d36fdac690029394e031ab9ffd4cd952c85b62d5267
Instruction ID: f42f1358d675968107000b1223e9501dabfd42001fddefa8252900065f16926b
Opcode Fuzzy Hash: ec691425831c759be9fa0d36fdac690029394e031ab9ffd4cd952c85b62d5267
Instruction Fuzzy Hash: E45182B4E192089FDB40EFACD98569EBBF0BB48300F10852DE898E7354D734A945CF96

Function 00773352 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0077335E
std::_Lockit::~_Lockit.LIBCPMT ref: 007733BA

Strings

4=w, xrefs: 00773385, 0077339F

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 4=w
API String ID: 593203224-2024421503
Opcode ID: 65d5883c323322d3c373140558a190a4b4f7eba95c70eb6af2eda01c5ebbd001
Instruction ID: 5925f870cf7781e9749497019e0ad79ee1b26ff566a965021ebe37325bc667f3
Opcode Fuzzy Hash: 65d5883c323322d3c373140558a190a4b4f7eba95c70eb6af2eda01c5ebbd001
Instruction Fuzzy Hash: E501B135600219EFCF10DB19C899EAD77B8EF847A0B04809AE4059B371DF74EE46DB90

Function 00779D5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00799F68,0000000C), ref: 00779D72
ExitThread.KERNEL32 ref: 00779D79

Strings

4=w, xrefs: 00779DAF

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: ErrorExitLastThread
String ID: 4=w
API String ID: 1611280651-2024421503
Opcode ID: abb328868bb295d30edb068b50d58f4eccdbe2909c0603522c0de8864535b9dd
Instruction ID: 3cb513c8d8fbbfb7058e820fcc5863f8068d3839892b9cca5158ec887d00134f
Opcode Fuzzy Hash: abb328868bb295d30edb068b50d58f4eccdbe2909c0603522c0de8864535b9dd
Instruction Fuzzy Hash: D9F08C70A41609EFDF10ABB4C80EA6E3B64EF00341F10814AF10997292CB3D5952CBA1

Function 00771595 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0077159C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 007715D4

Part of subcall function 007733C3: _Yarn.LIBCPMT ref: 007733E2
Part of subcall function 007733C3: _Yarn.LIBCPMT ref: 00773406

Strings

bad locale name, xrefs: 007715E2

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: c593da69493e74040b9b2445eacd987654c7f7327ef3f3eb854f5ea5bb3264bb
Instruction ID: 64f4db13be5b268b7011160aabf3811a07bb856ecb4cea500f4845baf637d045
Opcode Fuzzy Hash: c593da69493e74040b9b2445eacd987654c7f7327ef3f3eb854f5ea5bb3264bb
Instruction Fuzzy Hash: F7F01771505B809E87319F7A9485447FBE4BE29360390CE2FE0DEC3A12D738A504CBAA

Function 00781FCE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 0078200E

Strings

InitializeCriticalSectionEx, xrefs: 00781FDE
4=w, xrefs: 00781FFE

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: 4=w$InitializeCriticalSectionEx
API String ID: 2593887523-2532750098
Opcode ID: 237e696e36b3a86c4883e53fbaa8a8ed85eb29697c836e19fdb74370fdd4e24f
Instruction ID: d426ffdc54f1dcd31a3abed0cf2a9b3fba1bbee05bc4fd16b49dbfe31dabace1
Opcode Fuzzy Hash: 237e696e36b3a86c4883e53fbaa8a8ed85eb29697c836e19fdb74370fdd4e24f
Instruction Fuzzy Hash: 38E092366C025DB7CF112F55EC09E8E7F15EB04761B408011FD1825161C6BA9973E7E4

Function 00781E51 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00781E85

Strings

4=w, xrefs: 00781E7B
FlsAlloc, xrefs: 00781E61

Memory Dump Source

Source File: 00000002.00000002.2271494975.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true

Associated: 00000002.00000002.2271472832.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271546314.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271572509.000000000079B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2271620193.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_770000_SoftWare(2).jbxd

Similarity

API ID: Alloc
String ID: 4=w$FlsAlloc
API String ID: 2773662609-162422361
Opcode ID: 833e1528e15172427f3e73173422860f94d6f7883d20599c5083720dfc53fca0
Instruction ID: 9f2f3570f613747a7ec23b6b0571ec67db8e0ec40053d8baec5c2dcf20d5491d
Opcode Fuzzy Hash: 833e1528e15172427f3e73173422860f94d6f7883d20599c5083720dfc53fca0
Instruction Fuzzy Hash: 2CE0C2766C02A8778A2133A5AC1FD9F7E18CF40B71B844022FE05552429AAD4C5383E9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SoftWare(2).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_546ea742dd48f46178dbb2b915245098904dcb1_95a35aca_fd133525-3c5c-41ae-bc01-a4509b427ecd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_8ee5b464331c84393527985073a16c78d63b1b_95a35aca_209ad8ac-ebfc-4dd4-bc55-8141efb30f65\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_99eff584d7ae45d9eb7f2942b6104d7821b2b7b5_2927e4e7_43c31aa8-2cfa-4cc4-9dd5-bf9c1b22ee4c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1064.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER117E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER11AE.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D23.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F47.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F96.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3D5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE619.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE648.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

Windows Analysis Report
SoftWare(2).exe

Function 00771FEA Relevance: 7.7, APIs: 5, Instructions: 153
memorythreadCOMMON

Function 00782B19 Relevance: .0, Instructions: 29
COMMON

Function 00781C2F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00779EBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
threadCOMMON

Function 00779D5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 00781CFA Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Function 007C2780 Relevance: 53.4, Strings: 42, Instructions: 896
COMMON

Function 007D30BF Relevance: 37.8, Strings: 30, Instructions: 292
COMMON