Edit tour

Windows Analysis Report
8yprhxqBVs.exe

Overview

General Information

Sample name:	8yprhxqBVs.exe renamed because original name is a hash value
Original sample name:	7acc6aaa73ad3bb7b36771f3c9311a0c.exe
Analysis ID:	1464584
MD5:	7acc6aaa73ad3bb7b36771f3c9311a0c
SHA1:	da764b355b5f6c54f55ce7f1087de4b0de462478
SHA256:	93255a8d0cd55878926f556e68a34cdc802c5316bd469f035a1a3481299ac133
Tags:	32exetrojan
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

8yprhxqBVs.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\8yprhxqBVs.exe" MD5: 7ACC6AAA73AD3BB7B36771F3C9311A0C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["deadtrainingactioniw.xyzn", "qualificationjdwko.xyz", "grandcommonyktsju.xyz", "wordingnatturedowo.xyz", "crisisrottenyjs.xyz", "sweetcalcutangkdow.xyz", "cooperatvassquaidmew.xyzn", "exuberanttjdkwo.xyz"], "Build id": "bOKHNM--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Snort Signatures

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	06/29/24-06:37:59.658353
SID:	2054129
Source Port:	54788
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	06/29/24-06:37:59.622454
SID:	2054123
Source Port:	52161
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	06/29/24-06:37:59.738932
SID:	2054117
Source Port:	56912
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	06/29/24-06:37:59.687585
SID:	2054125
Source Port:	52303
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	06/29/24-06:37:59.724299
SID:	2054119
Source Port:	64410
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	06/29/24-06:37:59.673048
SID:	2054127
Source Port:	55158
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	06/29/24-06:37:59.635221
SID:	2054131
Source Port:	55481
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	06/29/24-06:37:59.702795
SID:	2054121
Source Port:	53151
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 8yprhxqBVs.exe.7412.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["deadtrainingactioniw.xyzn", "qualificationjdwko.xyz", "grandcommonyktsju.xyz", "wordingnatturedowo.xyz", "crisisrottenyjs.xyz", "sweetcalcutangkdow.xyz", "cooperatvassquaidmew.xyzn", "exuberanttjdkwo.xyz"], "Build id": "bOKHNM--"}

Multi AV Scanner detection for domain / URL

Source: https://sweetcalcutangkdow.xyz/api

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: 8yprhxqBVs.exe	ReversingLabs: Detection: 58%
Source: 8yprhxqBVs.exe	Virustotal: Detection: 28%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Machine Learning detection for sample

Source: 8yprhxqBVs.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: deadtrainingactioniw.xyzn
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: qualificationjdwko.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: grandcommonyktsju.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: wordingnatturedowo.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: crisisrottenyjs.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: sweetcalcutangkdow.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: cooperatvassquaidmew.xyzn
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: exuberanttjdkwo.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: wordingnatturedowo.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String decryptor: bOKHNM--

Source: 8yprhxqBVs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8yprhxqBVs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	0_2_00EB4700
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then movzx ebx, di	0_2_00EA8066
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00EA8066
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then movzx ebx, di	0_2_00EA8075
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00EA8075
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then movzx ebx, di	0_2_00EA8021
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00EA8021
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00E9E033
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov byte ptr [eax], bl	0_2_00E8F000
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_00E971AC
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then jmp eax	0_2_00E9E1AF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, edi	0_2_00E871A2
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E4AA2089h	0_2_00EA1170
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	0_2_00EA4149
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00EA4149
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	0_2_00E924A8
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then jmp ecx	0_2_00EB94A9
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	0_2_00E92487
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov dword ptr [esi], eax	0_2_00EA6490
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov dword ptr [esi], ecx	0_2_00EA6490
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [esi+68h]	0_2_00EA6490
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_00EA6490
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov edi, dword ptr [esi+04h]	0_2_00EB8494
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ebx, eax	0_2_00E83430
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	0_2_00E89400
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00EA0410
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then jmp eax	0_2_00E8E5C7
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h	0_2_00E9F580
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00EA5580
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then inc ebx	0_2_00E95510
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [00EC4FE8h]	0_2_00EB76C4
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	0_2_00EB8600
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00EA5580
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then jmp edx	0_2_00E9D7DE
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_00EA67AF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then lea ecx, dword ptr [esi+40h]	0_2_00EA77A1
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then jmp eax	0_2_00E81787
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then lea ecx, dword ptr [esi+40h]	0_2_00EA7731
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_00E93737
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00EA48DF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00E978AF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then jmp edx	0_2_00E9D84F
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_00EA684D
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_00E9394D
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	0_2_00E89AD0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	0_2_00E89AD0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_00E8CCB0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00E97864
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	0_2_00E93C08
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then jmp ecx	0_2_00EB5D98
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_00EA7D6E
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00E93D70
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00E96D24
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [esi+18h]	0_2_00EA6EBE
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [esi+18h]	0_2_00EA6EB7
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then jmp eax	0_2_00E91FEF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then movzx ebx, di	0_2_00EA7F8F
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00EA7F8F
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00EAFF40
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00EA1F23
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then mov ecx, dword ptr [esp+5Ch]	0_2_00E95F09
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 4x nop then jmp eax	0_2_00E9DF00

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2054123 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz) 192.168.2.4:52161 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054131 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz) 192.168.2.4:55481 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054129 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz) 192.168.2.4:54788 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054127 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz) 192.168.2.4:55158 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054125 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz) 192.168.2.4:52303 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054121 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz) 192.168.2.4:53151 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054119 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz) 192.168.2.4:64410 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054117 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz) 192.168.2.4:56912 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: deadtrainingactioniw.xyzn
Source: Malware configuration extractor	URLs: qualificationjdwko.xyz
Source: Malware configuration extractor	URLs: grandcommonyktsju.xyz
Source: Malware configuration extractor	URLs: wordingnatturedowo.xyz
Source: Malware configuration extractor	URLs: crisisrottenyjs.xyz
Source: Malware configuration extractor	URLs: sweetcalcutangkdow.xyz
Source: Malware configuration extractor	URLs: cooperatvassquaidmew.xyzn
Source: Malware configuration extractor	URLs: exuberanttjdkwo.xyz

Performs DNS queries to domains with low reputation

Source:	DNS query: wordingnatturedowo.xyz
Source:	DNS query: exuberanttjdkwo.xyz
Source:	DNS query: cooperatvassquaidmew.xyz
Source:	DNS query: sweetcalcutangkdow.xyz
Source:	DNS query: crisisrottenyjs.xyz
Source:	DNS query: grandcommonyktsju.xyz
Source:	DNS query: qualificationjdwko.xyz
Source:	DNS query: deadtrainingactioniw.xyz

Source: unknown	DNS traffic detected: query: grandcommonyktsju.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: deadtrainingactioniw.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sweetcalcutangkdow.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crisisrottenyjs.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wordingnatturedowo.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cooperatvassquaidmew.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: exuberanttjdkwo.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qualificationjdwko.xyz replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: wordingnatturedowo.xyz
Source: global traffic	DNS traffic detected: DNS query: exuberanttjdkwo.xyz
Source: global traffic	DNS traffic detected: DNS query: cooperatvassquaidmew.xyz
Source: global traffic	DNS traffic detected: DNS query: sweetcalcutangkdow.xyz
Source: global traffic	DNS traffic detected: DNS query: crisisrottenyjs.xyz
Source: global traffic	DNS traffic detected: DNS query: grandcommonyktsju.xyz
Source: global traffic	DNS traffic detected: DNS query: qualificationjdwko.xyz
Source: global traffic	DNS traffic detected: DNS query: deadtrainingactioniw.xyz

Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cooperatvassquaidmew.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisisrottenyjs.xyz/SOR
Source: 8yprhxqBVs.exe, 00000000.00000002.1693326538.000000000192E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisisrottenyjs.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadtrainingactioniw.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadtrainingactioniw.xyz/)G4
Source: 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadtrainingactioniw.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadtrainingactioniw.xyz/api(
Source: 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001974000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadtrainingactioniw.xyz:443/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exuberanttjdkwo.xyz/es(
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grandcommonyktsju.xyz/B
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/a
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001952000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001952000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/api4
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sweetcalcutangkdow.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sweetcalcutangkdow.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693036124.00000000017A8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://turbosms.ua
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wordingnatturedowo.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693326538.000000000192E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wordingnatturedowo.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693326538.000000000192E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wordingnatturedowo.xyz/apisX

Source: C:\Users\user\Desktop\8yprhxqBVs.exe

Code function: 0_2_00EADC70 OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,

0_2_00EADC70

Source: C:\Users\user\Desktop\8yprhxqBVs.exe

Code function: 0_2_00EADC70 OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,

0_2_00EADC70

Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E860AC	0_2_00E860AC
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EB5070	0_2_00EB5070
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EA8075	0_2_00EA8075
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EA8021	0_2_00EA8021
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EA1170	0_2_00EA1170
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E88210	0_2_00E88210
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E8436F	0_2_00E8436F
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EBA410	0_2_00EBA410
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EA35F7	0_2_00EA35F7
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E865C0	0_2_00E865C0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EBA730	0_2_00EBA730
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E9C870	0_2_00E9C870
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EA5830	0_2_00EA5830
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E89AD0	0_2_00E89AD0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E85BF8	0_2_00E85BF8
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EB1DC0	0_2_00EB1DC0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E85D9D	0_2_00E85D9D
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E84D60	0_2_00E84D60
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E9FECD	0_2_00E9FECD
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00E8EE60	0_2_00E8EE60
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: 0_2_00EA7F8F	0_2_00EA7F8F

Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: String function: 00E89170 appears 131 times
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Code function: String function: 00E88B50 appears 72 times

Source: 8yprhxqBVs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@8/0

Source: C:\Users\user\Desktop\8yprhxqBVs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8yprhxqBVs.exe	ReversingLabs: Detection: 58%
Source: 8yprhxqBVs.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\8yprhxqBVs.exe

File read: C:\Users\user\Desktop\8yprhxqBVs.exe

Jump to behavior

Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	Section loaded: msasn1.dll	Jump to behavior

Source: 8yprhxqBVs.exe

Static file information: File size 6253568 > 1048576

Source: 8yprhxqBVs.exe

Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x5ed400

Source: 8yprhxqBVs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

Source: 8yprhxqBVs.exe	Static PE information: section name: .vmp
Source: 8yprhxqBVs.exe	Static PE information: section name: .vmp
Source: 8yprhxqBVs.exe	Static PE information: section name: .vmp

Source: C:\Users\user\Desktop\8yprhxqBVs.exe

Code function: 0_2_00E8802D push eax; ret

0_2_00E88033

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\8yprhxqBVs.exe	API/Special instruction interceptor: Address: 166BCC0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	API/Special instruction interceptor: Address: 1374981
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	API/Special instruction interceptor: Address: 1740D60
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	API/Special instruction interceptor: Address: 11BDE75
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	API/Special instruction interceptor: Address: 1685F2E
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	API/Special instruction interceptor: Address: 133CA72
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	API/Special instruction interceptor: Address: 17818E2
Source: C:\Users\user\Desktop\8yprhxqBVs.exe	API/Special instruction interceptor: Address: 11BA5AE

Source: C:\Users\user\Desktop\8yprhxqBVs.exe TID: 7428	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe TID: 7428	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA

Source: C:\Users\user\Desktop\8yprhxqBVs.exe

Code function: 0_2_00EB6B90 LdrInitializeThunk,

0_2_00EB6B90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: deadtrainingactioniw.xyzn
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: qualificationjdwko.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: grandcommonyktsju.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: wordingnatturedowo.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: crisisrottenyjs.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: sweetcalcutangkdow.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: cooperatvassquaidmew.xyzn
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: exuberanttjdkwo.xyz

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
8yprhxqBVs.exe	58%	ReversingLabs	Win32.Spyware.Lummastealer
8yprhxqBVs.exe	28%	Virustotal		Browse
8yprhxqBVs.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
qualificationjdwko.xyz	1%	Virustotal	Browse
deadtrainingactioniw.xyz	1%	Virustotal	Browse
cooperatvassquaidmew.xyz	1%	Virustotal	Browse
exuberanttjdkwo.xyz	1%	Virustotal	Browse
grandcommonyktsju.xyz	0%	Virustotal	Browse
wordingnatturedowo.xyz	1%	Virustotal	Browse
crisisrottenyjs.xyz	1%	Virustotal	Browse
sweetcalcutangkdow.xyz	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
cooperatvassquaidmew.xyzn	0%	Avira URL Cloud	safe
https://sweetcalcutangkdow.xyz/	0%	Avira URL Cloud	safe
https://cooperatvassquaidmew.xyz/	0%	Avira URL Cloud	safe
https://crisisrottenyjs.xyz/SOR	0%	Avira URL Cloud	safe
https://qualificationjdwko.xyz/api	0%	Avira URL Cloud	safe
https://sweetcalcutangkdow.xyz/api	0%	Avira URL Cloud	safe
https://cooperatvassquaidmew.xyz/	0%	Virustotal		Browse
grandcommonyktsju.xyz	0%	Avira URL Cloud	safe
https://turbosms.ua	0%	Avira URL Cloud	safe
exuberanttjdkwo.xyz	0%	Avira URL Cloud	safe
grandcommonyktsju.xyz	0%	Virustotal		Browse
https://sweetcalcutangkdow.xyz/api	5%	Virustotal		Browse
qualificationjdwko.xyz	0%	Avira URL Cloud	safe
https://deadtrainingactioniw.xyz:443/api	0%	Avira URL Cloud	safe
https://deadtrainingactioniw.xyz/api	0%	Avira URL Cloud	safe
https://turbosms.ua	0%	Virustotal		Browse
https://qualificationjdwko.xyz/api	4%	Virustotal		Browse
https://qualificationjdwko.xyz/	0%	Avira URL Cloud	safe
qualificationjdwko.xyz	1%	Virustotal		Browse
https://deadtrainingactioniw.xyz:443/api	4%	Virustotal		Browse
https://deadtrainingactioniw.xyz/api	4%	Virustotal		Browse
exuberanttjdkwo.xyz	1%	Virustotal		Browse
https://wordingnatturedowo.xyz/	0%	Avira URL Cloud	safe
https://crisisrottenyjs.xyz/api	0%	Avira URL Cloud	safe
wordingnatturedowo.xyz	0%	Avira URL Cloud	safe
https://deadtrainingactioniw.xyz/	0%	Avira URL Cloud	safe
https://sweetcalcutangkdow.xyz/	0%	Virustotal		Browse
https://wordingnatturedowo.xyz/apisX	0%	Avira URL Cloud	safe
https://qualificationjdwko.xyz/	0%	Virustotal		Browse
deadtrainingactioniw.xyzn	0%	Avira URL Cloud	safe
wordingnatturedowo.xyz	1%	Virustotal		Browse
https://exuberanttjdkwo.xyz/es(	0%	Avira URL Cloud	safe
https://crisisrottenyjs.xyz/api	4%	Virustotal		Browse
https://qualificationjdwko.xyz/api4	0%	Avira URL Cloud	safe
https://deadtrainingactioniw.xyz/	0%	Virustotal		Browse
crisisrottenyjs.xyz	0%	Avira URL Cloud	safe
https://wordingnatturedowo.xyz/api	0%	Avira URL Cloud	safe
https://qualificationjdwko.xyz/a	0%	Avira URL Cloud	safe
https://deadtrainingactioniw.xyz/api(	0%	Avira URL Cloud	safe
https://deadtrainingactioniw.xyz/)G4	0%	Avira URL Cloud	safe
crisisrottenyjs.xyz	1%	Virustotal		Browse
https://wordingnatturedowo.xyz/	0%	Virustotal		Browse
sweetcalcutangkdow.xyz	0%	Avira URL Cloud	safe
https://wordingnatturedowo.xyz/api	4%	Virustotal		Browse
https://grandcommonyktsju.xyz/B	0%	Avira URL Cloud	safe
sweetcalcutangkdow.xyz	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
qualificationjdwko.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
crisisrottenyjs.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
deadtrainingactioniw.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
grandcommonyktsju.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
cooperatvassquaidmew.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
sweetcalcutangkdow.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
wordingnatturedowo.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
exuberanttjdkwo.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cooperatvassquaidmew.xyzn	true	Avira URL Cloud: safe	unknown
grandcommonyktsju.xyz	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
exuberanttjdkwo.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
qualificationjdwko.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
wordingnatturedowo.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
deadtrainingactioniw.xyzn	true	Avira URL Cloud: safe	unknown
crisisrottenyjs.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
sweetcalcutangkdow.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sweetcalcutangkdow.xyz/	8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cooperatvassquaidmew.xyz/	8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://crisisrottenyjs.xyz/SOR	8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/api	8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001952000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001952000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sweetcalcutangkdow.xyz/api	8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://turbosms.ua	8yprhxqBVs.exe, 00000000.00000002.1693036124.00000000017A8000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://deadtrainingactioniw.xyz/api	8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001952000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://deadtrainingactioniw.xyz:443/api	8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001974000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001974000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/	8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wordingnatturedowo.xyz/	8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://crisisrottenyjs.xyz/api	8yprhxqBVs.exe, 00000000.00000002.1693326538.000000000192E000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://deadtrainingactioniw.xyz/	8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001974000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wordingnatturedowo.xyz/apisX	8yprhxqBVs.exe, 00000000.00000002.1693326538.000000000192E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://exuberanttjdkwo.xyz/es(	8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/api4	8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001952000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001952000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wordingnatturedowo.xyz/api	8yprhxqBVs.exe, 00000000.00000002.1693326538.000000000192E000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/a	8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deadtrainingactioniw.xyz/)G4	8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deadtrainingactioniw.xyz/api(	8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grandcommonyktsju.xyz/B	8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464584
Start date and time:	2024-06-29 06:37:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8yprhxqBVs.exe renamed because original name is a hash value
Original Sample Name:	7acc6aaa73ad3bb7b36771f3c9311a0c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@8/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 84% Number of executed functions: 6 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

Time	Type	Description
00:37:59	API Interceptor	2x Sleep call for process: 8yprhxqBVs.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.889633564730536
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8yprhxqBVs.exe
File size:	6'253'568 bytes
MD5:	7acc6aaa73ad3bb7b36771f3c9311a0c
SHA1:	da764b355b5f6c54f55ce7f1087de4b0de462478
SHA256:	93255a8d0cd55878926f556e68a34cdc802c5316bd469f035a1a3481299ac133
SHA512:	7b968b9e8bb606e27123c7b3db0453d19c008934abe7b703f042913fd939b9bd5b998efb14b5ee400ab50d9dc253e70f5ff2d120ccd0fcab7dd8c3b10a9412df
SSDEEP:	98304:btnghTODQMh/GM2q7cHv7llLoL9oZE1wFLB3O0Qmp8t8PQkBRd++Gcoww0:bTDQMdGM2qYHRoaZlygLbf
TLSH:	C15623892E9F10E7C9C218709717BBE733B764E209D68D35AAC1B4C9B0B2EB7305B155
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....{f..............................S...........@.......................... ......G.`...@.................................\......

File Icon


Icon Hash:	697031130b964e0d

Static PE Info

General

Entrypoint:	0x9314d9
Entrypoint Section:	.vmp
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x667BA692 [Wed Jun 26 05:26:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d14e6dd016a88df925ed3c16879f3d29

Entrypoint Preview

Instruction
call 00007FD7C8E94A7Ch
dec esi
lea edx, dword ptr [eax+edx-2C226511h]
inc ecx
mov edi, F920DD8Ah
inc edx
mov ecx, dword ptr [eax+edx-2C22650Dh]
dec eax
lea edx, dword ptr [eax+eax*8+7216F0A4h]
inc cx
btr edi, edx
xor ecx, edi
ror ecx, 1
dec esp
lea ebp, dword ptr [edx+edx-1E4304F9h]
inc ecx
mov ebx, 6EA37FAFh
lea ecx, dword ptr [ecx+eax-555F2437h]
dec eax
cdq
inc esp
movsx esi, dl
inc ecx
shr ch, FFFFFFC6h
bswap ecx
dec eax
mov dword ptr [esp+eax-2C22650Dh], 00958108h
neg ecx
inc ecx
sub eax, ebp
inc ecx
or ebx, 1F85A928h
inc ecx
inc esp
add byte ptr [esp+edx+06h], bl
dec eax
idiv dword ptr [esp+eax-4BCC6E0Dh]
dec eax
mov dword ptr [esp+eax*2], edi
inc bp
or ebx, esi
xor dword ptr [esp+eax*2], ecx
pop edi
dec ebp
lea esp, dword ptr [esi-4966A75Eh]
dec eax
arpl cx, cx
sal edx, FFFFFF8Fh
cdq
setb dl
dec esp
adc ecx, ecx
dec eax
mov ebp, dword ptr [ebx+eax*2]
cwde
inc sp
imul esi, edx
inc sp
mov ebp, dword ptr [ebx+eax+08h]
neg al
jnc 00007FD7C8A3D296h
dec ecx
not esp
dec esp
lea ebx, dword ptr [5923B8A6h+ecx*8]
dec eax
add eax, dword ptr [esp+esi*2]
inc esi
or byte ptr [esp+edi-7D366693h], bl
dec ecx
xor edi, esp
ror esi, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x81e45c	0x8c	.vmp
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x920000	0x618dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x91f000	0x68c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x330000	0xb4	.vmp
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x39d44	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3b000	0x2a8b	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x113f0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x50000	0x2dfedc	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp	0x330000	0x23c	0x400	9c767db86a723e15ba871d21c882be0d	False	0.1708984375	data	1.152124137303384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x331000	0x5ed330	0x5ed400	796886b4f0f5fbf6d5ff5b6b6a9b07dc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x91f000	0x68c	0x800	b871f3d59f43409cbe2ae9f5e06c6632	False	0.42333984375	data	3.6442815333402208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x920000	0x618dc	0x8800	04c8a09bd5c47a2afa563c7f9f63d0b9	False	0.17839499080882354	data	2.9917502072872417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
UNICODEDATA	0x9286ac	0x2fed	data	French	France	0.03823529411764706
UNICODEDATA	0x92b69c	0x2989	empty	French	France	0
UNICODEDATA	0x92e028	0x462	empty	French	France	0
UNICODEDATA	0x92e48c	0xf04	empty	French	France	0
UNICODEDATA	0x92f390	0x22fa	empty	French	France	0
UNICODEDATA	0x93168c	0xc36	empty	French	France	0
RT_CURSOR	0x9322c4	0x134	empty	Russian	Russia	0
RT_CURSOR	0x9323f8	0x134	empty	Arabic	Saudi Arabia	0
RT_CURSOR	0x93252c	0x134	empty	Russian	Russia	0
RT_CURSOR	0x932660	0x134	empty			0
RT_CURSOR	0x932794	0x134	empty			0
RT_CURSOR	0x9328c8	0x2ec	empty			0
RT_CURSOR	0x932bb4	0x2ec	empty			0
RT_CURSOR	0x932ea0	0x2ec	empty			0
RT_CURSOR	0x93318c	0x2ec	empty			0
RT_CURSOR	0x933478	0x2ec	empty			0
RT_CURSOR	0x933764	0x2ec	empty			0
RT_CURSOR	0x933a50	0x2ec	empty			0
RT_CURSOR	0x933d3c	0x2ec	empty			0
RT_CURSOR	0x934028	0x2ec	empty			0
RT_CURSOR	0x934314	0x2ec	empty			0
RT_CURSOR	0x934600	0x134	empty			0
RT_CURSOR	0x934734	0x134	empty			0
RT_CURSOR	0x934868	0x134	empty			0
RT_CURSOR	0x93499c	0x134	empty			0
RT_CURSOR	0x934ad0	0x134	empty			0
RT_CURSOR	0x934c04	0x134	empty			0
RT_CURSOR	0x934d38	0x134	empty			0
RT_BITMAP	0x934e6c	0x1d0	empty			0
RT_BITMAP	0x93503c	0x1e4	empty			0
RT_BITMAP	0x935220	0x1d0	empty			0
RT_BITMAP	0x9353f0	0x1d0	empty			0
RT_BITMAP	0x9355c0	0x1d0	empty			0
RT_BITMAP	0x935790	0x1d0	empty			0
RT_BITMAP	0x935960	0x1d0	empty			0
RT_BITMAP	0x935b30	0x1d0	empty			0
RT_BITMAP	0x935d00	0x1d0	empty			0
RT_BITMAP	0x935ed0	0x1d0	empty			0
RT_BITMAP	0x9360a0	0x5c	empty			0
RT_BITMAP	0x9360fc	0x5c	empty			0
RT_BITMAP	0x936158	0x5c	empty			0
RT_BITMAP	0x9361b4	0x5c	empty			0
RT_BITMAP	0x936210	0x94	empty	Russian	Russia	0
RT_BITMAP	0x9362a4	0x5c	empty			0
RT_BITMAP	0x936300	0x5c	empty			0
RT_BITMAP	0x93635c	0x5c	empty			0
RT_BITMAP	0x9363b8	0x5c	empty			0
RT_BITMAP	0x936414	0x5c	empty			0
RT_BITMAP	0x936470	0x5c	empty			0
RT_BITMAP	0x9364cc	0x138	empty			0
RT_BITMAP	0x936604	0x138	empty			0
RT_BITMAP	0x93673c	0x138	empty			0
RT_BITMAP	0x936874	0x138	empty			0
RT_BITMAP	0x9369ac	0x138	empty			0
RT_BITMAP	0x936ae4	0x138	empty			0
RT_BITMAP	0x936c1c	0x104	empty			0
RT_BITMAP	0x936d20	0x138	empty			0
RT_BITMAP	0x936e58	0x104	empty			0
RT_BITMAP	0x936f5c	0x138	empty			0
RT_BITMAP	0x937094	0xb0	empty	Russian	Russia	0
RT_BITMAP	0x937144	0xb0	empty	Russian	Russia	0
RT_BITMAP	0x9371f4	0xe8	empty			0
RT_BITMAP	0x9372dc	0xce8	empty			0
RT_BITMAP	0x937fc4	0xce8	empty			0
RT_BITMAP	0x938cac	0xce8	empty			0
RT_BITMAP	0x939994	0x268	empty			0
RT_BITMAP	0x939bfc	0x268	empty			0
RT_BITMAP	0x939e64	0x268	empty			0
RT_BITMAP	0x93a0cc	0xce8	empty			0
RT_BITMAP	0x93adb4	0xce8	empty			0
RT_BITMAP	0x93ba9c	0xd28	empty			0
RT_BITMAP	0x93c7c4	0x4b2a	empty			0
RT_BITMAP	0x9412f0	0x126	empty			0
RT_BITMAP	0x941418	0x126	empty			0
RT_ICON	0x923e00	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	Russian	Russia	0.25902527075812276
RT_ICON	0x9246a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	Russian	Russia	0.25767148014440433
RT_ICON	0x924f50	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	Russian	Russia	0.24954873646209386
RT_ICON	0x9257f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	Russian	Russia	0.2477436823104693
RT_ICON	0x9260a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	Russian	Russia	0.2477436823104693
RT_ICON	0x926948	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	Russian	Russia	0.2463898916967509
RT_ICON	0x9271f0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	Russian	Russia	0.259927797833935
RT_ICON	0x927a98	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	Russian	Russia	0.2612815884476534
RT_DIALOG	0x941540	0x52	empty			0
RT_STRING	0x941594	0x260	empty			0
RT_STRING	0x9417f4	0x210	empty			0
RT_STRING	0x941a04	0x30c	empty			0
RT_STRING	0x941d10	0x324	empty			0
RT_STRING	0x942034	0x444	empty			0
RT_STRING	0x942478	0x3d0	empty			0
RT_STRING	0x942848	0x3ec	empty			0
RT_STRING	0x942c34	0x290	empty			0
RT_STRING	0x942ec4	0x2d0	empty			0
RT_STRING	0x943194	0x498	empty			0
RT_STRING	0x94362c	0x2b8	empty			0
RT_STRING	0x9438e4	0x2d0	empty			0
RT_STRING	0x943bb4	0x36c	empty			0
RT_STRING	0x943f20	0x5b0	empty			0
RT_STRING	0x9444d0	0x35c	empty			0
RT_STRING	0x94482c	0x4fc	empty			0
RT_STRING	0x944d28	0x1220	empty			0
RT_STRING	0x945f48	0x90c	empty			0
RT_STRING	0x946854	0x994	empty			0
RT_STRING	0x9471e8	0x93c	empty			0
RT_STRING	0x947b24	0x65c	empty			0
RT_STRING	0x948180	0x210	empty			0
RT_STRING	0x948390	0x49c	empty			0
RT_STRING	0x94882c	0x418	empty			0
RT_STRING	0x948c44	0x3cc	empty			0
RT_STRING	0x949010	0x430	empty			0
RT_STRING	0x949440	0x418	empty			0
RT_STRING	0x949858	0x378	empty			0
RT_STRING	0x949bd0	0x3b4	empty			0
RT_STRING	0x949f84	0x2e8	empty			0
RT_STRING	0x94a26c	0x448	empty			0
RT_STRING	0x94a6b4	0x390	empty			0
RT_STRING	0x94aa44	0x4c8	empty			0
RT_STRING	0x94af0c	0x808	empty			0
RT_STRING	0x94b714	0x570	empty			0
RT_STRING	0x94bc84	0x6f8	empty			0
RT_STRING	0x94c37c	0x824	empty			0
RT_STRING	0x94cba0	0x6a0	empty			0
RT_STRING	0x94d240	0x87c	empty			0
RT_STRING	0x94dabc	0x94c	empty			0
RT_STRING	0x94e408	0x414	empty			0
RT_STRING	0x94e81c	0x27c	empty			0
RT_STRING	0x94ea98	0x20c	empty			0
RT_STRING	0x94eca4	0x3ec	empty			0
RT_STRING	0x94f090	0x3dc	empty			0
RT_STRING	0x94f46c	0x4ec	empty			0
RT_STRING	0x94f958	0x66c	empty			0
RT_STRING	0x94ffc4	0x70c	empty			0
RT_STRING	0x9506d0	0x398	empty			0
RT_STRING	0x950a68	0x218	empty			0
RT_STRING	0x950c80	0x25c	empty			0
RT_STRING	0x950edc	0x474	empty			0
RT_STRING	0x951350	0x4b8	empty			0
RT_STRING	0x951808	0x2fc	empty			0
RT_STRING	0x951b04	0x1ec	empty			0
RT_STRING	0x951cf0	0x13c	empty			0
RT_STRING	0x951e2c	0x46c	empty			0
RT_STRING	0x952298	0xccc	empty			0
RT_STRING	0x952f64	0x470	empty			0
RT_STRING	0x9533d4	0xc0	empty			0
RT_STRING	0x953494	0x104	empty			0
RT_STRING	0x953598	0x1a4	empty			0
RT_STRING	0x95373c	0x448	empty			0
RT_STRING	0x953b84	0x3c0	empty			0
RT_STRING	0x953f44	0x574	empty			0
RT_STRING	0x9544b8	0x380	empty			0
RT_STRING	0x954838	0x5b8	empty			0
RT_STRING	0x954df0	0x86c	empty			0
RT_STRING	0x95565c	0xcd0	empty			0
RT_STRING	0x95632c	0xb3c	empty			0
RT_STRING	0x956e68	0x898	empty			0
RT_STRING	0x957700	0x6bc	empty			0
RT_STRING	0x957dbc	0x838	empty			0
RT_STRING	0x9585f4	0xbc8	empty			0
RT_STRING	0x9591bc	0xd78	empty			0
RT_STRING	0x959f34	0x6cc	empty			0
RT_STRING	0x95a600	0x57c	empty			0
RT_STRING	0x95ab7c	0xc94	empty			0
RT_STRING	0x95b810	0x9f0	empty			0
RT_STRING	0x95c200	0x990	empty			0
RT_STRING	0x95cb90	0x9a4	empty			0
RT_STRING	0x95d534	0x7e4	empty			0
RT_STRING	0x95dd18	0xc64	empty			0
RT_STRING	0x95e97c	0x9bc	empty			0
RT_STRING	0x95f338	0xa34	empty			0
RT_STRING	0x95fd6c	0xe44	empty			0
RT_STRING	0x960bb0	0x8b4	empty			0
RT_STRING	0x961464	0xbc8	empty			0
RT_STRING	0x96202c	0x544	empty			0
RT_STRING	0x962570	0x760	empty			0
RT_STRING	0x962cd0	0x5d4	empty			0
RT_STRING	0x9632a4	0x888	empty			0
RT_STRING	0x963b2c	0x7d0	empty			0
RT_STRING	0x9642fc	0x290	empty			0
RT_STRING	0x96458c	0x7dc	empty			0
RT_STRING	0x964d68	0x8a4	empty			0
RT_STRING	0x96560c	0x7e0	empty			0
RT_STRING	0x965dec	0x91c	empty			0
RT_STRING	0x966708	0xa28	empty			0
RT_STRING	0x967130	0x5d0	empty			0
RT_STRING	0x967700	0x3e0	empty			0
RT_STRING	0x967ae0	0x3a4	empty			0
RT_STRING	0x967e84	0x404	empty			0
RT_STRING	0x968288	0x234	empty			0
RT_STRING	0x9684bc	0xec	empty			0
RT_STRING	0x9685a8	0x1f0	empty			0
RT_STRING	0x968798	0x428	empty			0
RT_STRING	0x968bc0	0x3bc	empty			0
RT_STRING	0x968f7c	0x2fc	empty			0
RT_STRING	0x969278	0x358	empty			0
RT_RCDATA	0x9695d0	0x10	empty			0
RT_RCDATA	0x9695e0	0x15ac	empty			0
RT_RCDATA	0x96ab8c	0x19ca	empty			0
RT_RCDATA	0x96c558	0x79f	empty			0
RT_RCDATA	0x96ccf8	0x2bd7	empty			0
RT_RCDATA	0x96f8d0	0x3ad	empty			0
RT_RCDATA	0x96fc80	0xda2	empty			0
RT_RCDATA	0x970a24	0x3d9	empty			0
RT_RCDATA	0x970e00	0x30d	empty			0
RT_RCDATA	0x971110	0xab5	empty			0
RT_RCDATA	0x971bc8	0x5ab	empty			0
RT_RCDATA	0x972174	0xc11	empty			0
RT_RCDATA	0x972d88	0xb34	empty			0
RT_RCDATA	0x9738bc	0x562	empty			0
RT_RCDATA	0x973e20	0x3b8	empty			0
RT_RCDATA	0x9741d8	0x3f6	empty			0
RT_RCDATA	0x9745d0	0x85e	empty			0
RT_RCDATA	0x974e30	0x84d	empty			0
RT_RCDATA	0x975680	0xcce	empty			0
RT_RCDATA	0x976350	0x5e2	empty			0
RT_RCDATA	0x976934	0x25c	empty			0
RT_RCDATA	0x976b90	0x4d5	empty			0
RT_RCDATA	0x977068	0x3cc	empty			0
RT_RCDATA	0x977434	0xe74	empty			0
RT_RCDATA	0x9782a8	0x2912	empty			0
RT_RCDATA	0x97abbc	0x14db	empty			0
RT_RCDATA	0x97c098	0x1245	empty			0
RT_RCDATA	0x97d2e0	0xbfe	empty			0
RT_RCDATA	0x97dee0	0xa55	empty			0
RT_RCDATA	0x97e938	0x3b1	empty			0
RT_RCDATA	0x97ecec	0xa56	empty			0
RT_RCDATA	0x97f744	0xa53	empty			0
RT_RCDATA	0x980198	0x783	empty			0
RT_RCDATA	0x98091c	0x14a	empty			0
RT_RCDATA	0x980a68	0x461	empty			0
RT_RCDATA	0x980ecc	0x494	empty			0
RT_RCDATA	0x981360	0x3c4	empty			0
RT_GROUP_CURSOR	0x981724	0x14	empty	Russian	Russia	0
RT_GROUP_CURSOR	0x981738	0x14	empty	Arabic	Saudi Arabia	0
RT_GROUP_CURSOR	0x98174c	0x14	empty	Russian	Russia	0
RT_GROUP_CURSOR	0x981760	0x14	empty			0
RT_GROUP_CURSOR	0x981774	0x14	empty			0
RT_GROUP_CURSOR	0x981788	0x14	empty			0
RT_GROUP_CURSOR	0x98179c	0x14	empty			0
RT_GROUP_CURSOR	0x9817b0	0x14	empty			0
RT_GROUP_CURSOR	0x9817c4	0x14	empty			0
RT_GROUP_CURSOR	0x9817d8	0x14	empty			0
RT_GROUP_CURSOR	0x9817ec	0x14	empty			0
RT_GROUP_CURSOR	0x981800	0x14	empty			0
RT_GROUP_CURSOR	0x981814	0x14	empty			0
RT_GROUP_CURSOR	0x981828	0x14	empty			0
RT_GROUP_CURSOR	0x98183c	0x14	empty			0
RT_GROUP_CURSOR	0x981850	0x14	empty			0
RT_GROUP_CURSOR	0x981864	0x14	empty			0
RT_GROUP_CURSOR	0x981878	0x14	empty			0
RT_GROUP_CURSOR	0x98188c	0x14	empty			0
RT_GROUP_CURSOR	0x9818a0	0x14	empty			0
RT_GROUP_CURSOR	0x9818b4	0x14	empty			0
RT_GROUP_CURSOR	0x9818c8	0x14	empty			0
RT_GROUP_ICON	0x928340	0x14	data	Russian	Russia	1.25
RT_GROUP_ICON	0x928354	0x14	data	Russian	Russia	1.25
RT_GROUP_ICON	0x928368	0x14	data	Russian	Russia	1.25
RT_GROUP_ICON	0x92837c	0x14	data	Russian	Russia	1.25
RT_GROUP_ICON	0x928390	0x14	data	Russian	Russia	1.25
RT_GROUP_ICON	0x9283a4	0x14	data	Russian	Russia	1.25
RT_GROUP_ICON	0x9283b8	0x14	data	Russian	Russia	1.2
RT_GROUP_ICON	0x9283cc	0x14	data	Russian	Russia	1.25
RT_MANIFEST	0x9283e0	0x2ca	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5028011204481793

Imports

DLL	Import
KERNEL32.dll	ExitProcess, GetCurrentProcessId, GetCurrentThreadId, GetLogicalDrives, GetSystemDirectoryW, GlobalLock, GlobalUnlock
ole32.dll	CoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, CoUninitialize
OLEAUT32.dll	SysAllocString, SysFreeString, SysStringLen, VariantClear, VariantInit
USER32.dll	CloseClipboard, GetClipboardData, GetDC, GetSystemMetrics, GetWindowLongW, OpenClipboard, ReleaseDC
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetCurrentObject, GetDIBits, GetObjectW, SelectObject
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	France
Russian	Russia
Arabic	Saudi Arabia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/29/24-06:37:59.658353	UDP	2054129	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz)	54788	53	192.168.2.4	1.1.1.1
06/29/24-06:37:59.622454	UDP	2054123	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz)	52161	53	192.168.2.4	1.1.1.1
06/29/24-06:37:59.738932	UDP	2054117	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz)	56912	53	192.168.2.4	1.1.1.1
06/29/24-06:37:59.687585	UDP	2054125	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz)	52303	53	192.168.2.4	1.1.1.1
06/29/24-06:37:59.724299	UDP	2054119	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz)	64410	53	192.168.2.4	1.1.1.1
06/29/24-06:37:59.673048	UDP	2054127	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz)	55158	53	192.168.2.4	1.1.1.1
06/29/24-06:37:59.635221	UDP	2054131	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz)	55481	53	192.168.2.4	1.1.1.1
06/29/24-06:37:59.702795	UDP	2054121	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz)	53151	53	192.168.2.4	1.1.1.1

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 29, 2024 06:37:59.622453928 CEST	52161	53	192.168.2.4	1.1.1.1
Jun 29, 2024 06:37:59.631309986 CEST	53	52161	1.1.1.1	192.168.2.4
Jun 29, 2024 06:37:59.635221004 CEST	55481	53	192.168.2.4	1.1.1.1
Jun 29, 2024 06:37:59.655337095 CEST	53	55481	1.1.1.1	192.168.2.4
Jun 29, 2024 06:37:59.658353090 CEST	54788	53	192.168.2.4	1.1.1.1
Jun 29, 2024 06:37:59.670190096 CEST	53	54788	1.1.1.1	192.168.2.4
Jun 29, 2024 06:37:59.673048019 CEST	55158	53	192.168.2.4	1.1.1.1
Jun 29, 2024 06:37:59.684755087 CEST	53	55158	1.1.1.1	192.168.2.4
Jun 29, 2024 06:37:59.687585115 CEST	52303	53	192.168.2.4	1.1.1.1
Jun 29, 2024 06:37:59.700440884 CEST	53	52303	1.1.1.1	192.168.2.4
Jun 29, 2024 06:37:59.702795029 CEST	53151	53	192.168.2.4	1.1.1.1
Jun 29, 2024 06:37:59.722750902 CEST	53	53151	1.1.1.1	192.168.2.4
Jun 29, 2024 06:37:59.724298954 CEST	64410	53	192.168.2.4	1.1.1.1
Jun 29, 2024 06:37:59.736095905 CEST	53	64410	1.1.1.1	192.168.2.4
Jun 29, 2024 06:37:59.738931894 CEST	56912	53	192.168.2.4	1.1.1.1
Jun 29, 2024 06:37:59.753070116 CEST	53	56912	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 29, 2024 06:37:59.622453928 CEST	192.168.2.4	1.1.1.1	0xe006	Standard query (0)	wordingnatturedowo.xyz	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.635221004 CEST	192.168.2.4	1.1.1.1	0x6efe	Standard query (0)	exuberanttjdkwo.xyz	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.658353090 CEST	192.168.2.4	1.1.1.1	0xd9e	Standard query (0)	cooperatvassquaidmew.xyz	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.673048019 CEST	192.168.2.4	1.1.1.1	0x9f9b	Standard query (0)	sweetcalcutangkdow.xyz	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.687585115 CEST	192.168.2.4	1.1.1.1	0x783e	Standard query (0)	crisisrottenyjs.xyz	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.702795029 CEST	192.168.2.4	1.1.1.1	0x5647	Standard query (0)	grandcommonyktsju.xyz	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.724298954 CEST	192.168.2.4	1.1.1.1	0xa6c8	Standard query (0)	qualificationjdwko.xyz	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.738931894 CEST	192.168.2.4	1.1.1.1	0x3b8c	Standard query (0)	deadtrainingactioniw.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 29, 2024 06:37:59.631309986 CEST	1.1.1.1	192.168.2.4	0xe006	Name error (3)	wordingnatturedowo.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.655337095 CEST	1.1.1.1	192.168.2.4	0x6efe	Name error (3)	exuberanttjdkwo.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.670190096 CEST	1.1.1.1	192.168.2.4	0xd9e	Name error (3)	cooperatvassquaidmew.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.684755087 CEST	1.1.1.1	192.168.2.4	0x9f9b	Name error (3)	sweetcalcutangkdow.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.700440884 CEST	1.1.1.1	192.168.2.4	0x783e	Name error (3)	crisisrottenyjs.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.722750902 CEST	1.1.1.1	192.168.2.4	0x5647	Name error (3)	grandcommonyktsju.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.736095905 CEST	1.1.1.1	192.168.2.4	0xa6c8	Name error (3)	qualificationjdwko.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 29, 2024 06:37:59.753070116 CEST	1.1.1.1	192.168.2.4	0x3b8c	Name error (3)	deadtrainingactioniw.xyz	none	none	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 8yprhxqBVs.exePID: 7412, Parent PID: 2580

General

Target ID:	0
Start time:	00:37:58
Start date:	29/06/2024
Path:	C:\Users\user\Desktop\8yprhxqBVs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8yprhxqBVs.exe"
Imagebase:	0xe80000
File size:	6'253'568 bytes
MD5 hash:	7ACC6AAA73AD3BB7B36771F3C9311A0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 8yprhxqBVs.exePID: 7412, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.7%
Total number of Nodes:	46
Total number of Limit Nodes:	2

Executed Functions

Function 00EB4700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00EB477D

Strings

|:, xrefs: 00EB4783
vA@C, xrefs: 00EB4736

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: FreeHeap
String ID: vA@C$|:
API String ID: 3298025750-3337658132
Opcode ID: bfac9b60e06c0d1f3a8f83a0c2316ad9483a0d44edd2aa060ddc2a76bbbf99f9
Instruction ID: 7fe8443037e7664b94d50f91f555de3f9633e4f88fd93d3546c376445a43f272
Opcode Fuzzy Hash: bfac9b60e06c0d1f3a8f83a0c2316ad9483a0d44edd2aa060ddc2a76bbbf99f9
Instruction Fuzzy Hash: BB11397420C2818FD309DF18D8A0B6AFBF6EB95708F249A2CD5D6573E1CB319815CB86

Function 00EB6B90 Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00EB99CC,?,00000006,?,?,00000018,1C1D1E1F,?,ZW), ref: 00EB6BB6

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 00E890E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00E89149

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 00E89112

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: ExitProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 621844428-780655312
Opcode ID: 6ef4a8805e6ff63eb3c4cb05ff37e6d8b68c57f7b1a1f0f5ceed92c3e2e53f86
Instruction ID: 5482005bc218ca0f5f14b4854445a819103a80fbc775547bc583d5d2d1ed5d05
Opcode Fuzzy Hash: 6ef4a8805e6ff63eb3c4cb05ff37e6d8b68c57f7b1a1f0f5ceed92c3e2e53f86
Instruction Fuzzy Hash: ACF0A770C0F21199CA1037B45A4F3BE36F45F11754F1A7522F98E31113FA2C4408A3A3

Function 00E8A1B0 Relevance: 1.8, APIs: 1, Instructions: 325
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 00E8A2D4

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 31d49542ccab4ece9857e2154fb049d5873bee76e9d656f0da7314c5de4194ec
Instruction ID: 8aa0e61ca29cb507dc13dc0e2c6e80f90e023f1eef3b804708e6013ac71559d3
Opcode Fuzzy Hash: 31d49542ccab4ece9857e2154fb049d5873bee76e9d656f0da7314c5de4194ec
Instruction Fuzzy Hash: A5E1C0B1504B40CFD320EF39E98565ABFE0AB15314F088A6ED4DDAB792E731A449CB53

Function 00EB4660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 00EB4674

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4ac261ecf35a60ea8300762fb4432a25870a5f2f24a739fe553352768ef55cdd
Instruction ID: e841b0a0d6eb104e5b1badeb7fd3379f820ef5ad6b8b5ab2a9ad6a0088244637
Opcode Fuzzy Hash: 4ac261ecf35a60ea8300762fb4432a25870a5f2f24a739fe553352768ef55cdd
Instruction Fuzzy Hash: 3BC012202451406AD22887169C91FBF791AABD3A05F10801CA445152C0C62061038058

Function 00EB6A30 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNELBASE(00E8913B), ref: 00EB6A3B

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fb4fe095d0c677d1cbd4786202489364d1dbd0a3f82cfbd9806720303d9e4f69
Instruction ID: 50642eed4f33aae8f3ebfe3170d6d42c461d91f7525ad9ff8a329b163288f35d
Opcode Fuzzy Hash: fb4fe095d0c677d1cbd4786202489364d1dbd0a3f82cfbd9806720303d9e4f69
Instruction Fuzzy Hash: 5AA002745295849FCE026B6AEE1AD8B3AA5B7D1B437141070B44572132CF67141AEE08

Non-executed Functions

Function 00E971AC Relevance: 16.5, Strings: 13, Instructions: 284COMMON

Download Yara Rule

Strings

KRUB, xrefs: 00E973C5
qlw6, xrefs: 00E973AD
/9++, xrefs: 00E9746B
"!g{, xrefs: 00E97408
Z#, xrefs: 00E973CD
756., xrefs: 00E97460
~|mz, xrefs: 00E973B5
ck.{, xrefs: 00E97395
|gyz, xrefs: 00E973A5
afd+, xrefs: 00E9738D
p`ht, xrefs: 00E97385
xt2p, xrefs: 00E9739D
*, xrefs: 00E973D4

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: "!g{$*$/9++$756.$KRUB$Z#$afd+$ck.{$p`ht$qlw6$xt2p$|gyz$~|mz
API String ID: 0-2687116054
Opcode ID: 44d148feb6a7c7ee06c7af6639e9c657f7cc6215e766b857b92672ffc5a4f573
Instruction ID: 12318db64782d053d61be8e30b89e4645dff22bae821c60475e6711870bbc95c
Opcode Fuzzy Hash: 44d148feb6a7c7ee06c7af6639e9c657f7cc6215e766b857b92672ffc5a4f573
Instruction Fuzzy Hash: 47A1B0B051C3808BDB25CF25C4907ABBBE2EFD6348F18995CE4C99B392D735844ACB52

Function 00E8F000 Relevance: 9.0, Strings: 7, Instructions: 289COMMON

Download Yara Rule

Strings

uw, xrefs: 00E8F2E0
yA+, xrefs: 00E8F0EE
hZYd, xrefs: 00E8F0AC
U`aT, xrefs: 00E8F0C2
hVQl, xrefs: 00E8F0B7
y{, xrefs: 00E8F2BF
de, xrefs: 00E8F3DF

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: U`aT$de$hVQl$hZYd$yA+$uw$y{
API String ID: 0-1977114858
Opcode ID: 74372037762ae296fe5e0d019d72d31067b54bc81e6c56eaada7e7956baeccbc
Instruction ID: 0b7db34468b4fc56206a9bf362b60e8d55f617a70edd5de45066c2780a0d64a2
Opcode Fuzzy Hash: 74372037762ae296fe5e0d019d72d31067b54bc81e6c56eaada7e7956baeccbc
Instruction Fuzzy Hash: 5BB152B15493C18BD331CF25C48879BBBE1BBC6348F184A6DD4DC6B255C3789A06CBA6

Function 00EADC70 Relevance: 7.7, APIs: 5, Instructions: 186clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EADCC7
GetClipboardData.USER32 ref: 00EADD05
CloseClipboard.USER32 ref: 00EADE6C

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: a526a68f7d12cab5c2a1dbc9f35aa34dda6cce249a0452fc1356c1c5b76beb6d
Instruction ID: c8a874bec928041e0019f675e43892cc57db6f174379434283922389169eb46c
Opcode Fuzzy Hash: a526a68f7d12cab5c2a1dbc9f35aa34dda6cce249a0452fc1356c1c5b76beb6d
Instruction Fuzzy Hash: 9A717E74508741CFC720DF28C984656BBE1EF5A320B248B9DE4DB9FB95D730A805DBA2

Function 00E89AD0 Relevance: 5.5, Strings: 4, Instructions: 473COMMON

Download Yara Rule

Strings

U^, xrefs: 00E89F35
0, xrefs: 00E89B46
N\KO, xrefs: 00E89C16
X\, xrefs: 00E89F2D

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: 0$N\KO$U^$X\
API String ID: 0-3470748801
Opcode ID: 9e45f3216b15aeaf05433f25fff08fd486631c7e2244673af0837365194dd7df
Instruction ID: 8e443fd5924b30f631df31db723a709c943661091d4f8e73837a5723b46f888e
Opcode Fuzzy Hash: 9e45f3216b15aeaf05433f25fff08fd486631c7e2244673af0837365194dd7df
Instruction Fuzzy Hash: A01256B16083819BD318EF28D490B6FBBE2FFD5308F18592DE0D99B252D7359806CB56

Function 00E93D70 Relevance: 5.3, Strings: 4, Instructions: 330COMMON

Download Yara Rule

Strings

hi, xrefs: 00E94202
M, xrefs: 00E94124
.x!h, xrefs: 00E94130
D, xrefs: 00E940E5

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: .x!h$D$hi$M
API String ID: 0-1457716288
Opcode ID: c15ab18f2095d522b0ca9b61e8363fb87713381a804b6689fa078904e518e777
Instruction ID: 57e5dcec36f1a7f207053579421700c52ef5b53124a726bbb14f207b30e372f1
Opcode Fuzzy Hash: c15ab18f2095d522b0ca9b61e8363fb87713381a804b6689fa078904e518e777
Instruction Fuzzy Hash: EEC134B02083808AE770DF14C8A6BDBBBE1FF85318F54590CE4C99B391D7BA5549CB96

Function 00E9FECD Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

1648, xrefs: 00EA02DB
<>=8, xrefs: 00EA02F1
> &>, xrefs: 00EA0307

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: 1648$<>=8$> &>
API String ID: 0-3830843293
Opcode ID: b2b00891660ac5f61591d4943020528740cc97be1068b66db63b61b9719f0ad8
Instruction ID: 2cdfcdcc2b97fe0fd9d3dbedb5598567bb945d8510e29826da25011dfd5aa29a
Opcode Fuzzy Hash: b2b00891660ac5f61591d4943020528740cc97be1068b66db63b61b9719f0ad8
Instruction Fuzzy Hash: ACC1BC766083818FD724DF14C0917EBBBE2FB96340F18592DE48E9B382DB74A445CB92

Function 00E89400 Relevance: 4.0, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

AFr|, xrefs: 00E895A8
JBpp, xrefs: 00E89503
*, xrefs: 00E89573

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: *$AFr|$JBpp
API String ID: 0-2764207482
Opcode ID: 5acae142cb98e67e0bafb2dec1e5c4c8df9c83924799d23e106d1742ab102c41
Instruction ID: 21389dce4f333b16be15b3513bc8b19dd3eebe93d1ed7065009799c5fd85930a
Opcode Fuzzy Hash: 5acae142cb98e67e0bafb2dec1e5c4c8df9c83924799d23e106d1742ab102c41
Instruction Fuzzy Hash: FB71BE7190D3918BD311DF29C09071BFBE2EFD6718F188A8CE4D82B249D335990ACB96

Function 00E9DF00 Relevance: 3.8, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

X_, xrefs: 00E9DF66
]g, xrefs: 00E9DF5E
[[, xrefs: 00E9DF6E

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: X_$[[$]g
API String ID: 0-3867923182
Opcode ID: c75938adff79505ddf6449555818f969cf3db6c0a403131a2654096e1cba407e
Instruction ID: 30e392ade9f1848ce54da816e00fb40cfe11ae44615308f25d1b1f90c80617f5
Opcode Fuzzy Hash: c75938adff79505ddf6449555818f969cf3db6c0a403131a2654096e1cba407e
Instruction Fuzzy Hash: 45310EB02193819BD310EF05C880A5ABBF6FB86344F14AE1CE1D99B321D338C9028F57

Function 00EA35F7 Relevance: 3.2, Strings: 2, Instructions: 665COMMON

Download Yara Rule

Strings

}, xrefs: 00EA3C8F
Ap, xrefs: 00EA3C88

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: Ap$}
API String ID: 0-1536016870
Opcode ID: 530f5486d0e740aa8c947d48d08ceb8e4a085865dc1a637ffb58c59f859d90fd
Instruction ID: a5a48b2f0264d323df71ca899299b37817a6b8b442f358db85f78c8825419659
Opcode Fuzzy Hash: 530f5486d0e740aa8c947d48d08ceb8e4a085865dc1a637ffb58c59f859d90fd
Instruction Fuzzy Hash: 7E427FB5600A419FD328CF29C851A16BBF1FF89310F644A1DE9E69BB85D730B816CBC5

Function 00EA5830 Relevance: 3.0, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

", xrefs: 00EA5C62
", xrefs: 00EA5C98

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: 0d478d159eb5e23174e8621513a1d7b01cacf184c68bedbbf88eb1d76ded9468
Instruction ID: 9b01ebdb6e7674620d474f4ac79482e2f182e4aca9b802b6a2cce7929aff86e4
Opcode Fuzzy Hash: 0d478d159eb5e23174e8621513a1d7b01cacf184c68bedbbf88eb1d76ded9468
Instruction Fuzzy Hash: FE020672608B119FC714CE24C49476FB7E5AFCA318F58992DE899AF381E734ED058781

Function 00E84D60 Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

IEND, xrefs: 00E851F3
), xrefs: 00E84E13

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 7741ae9aeec12cd4cc7c7e1520e8acbd486ccd5c42e01384d1cd4eb09593b616
Instruction ID: 7f1e8511121636d9bf1bc60e0ca759f1d73160ed733ee06e5f957617e9f83811
Opcode Fuzzy Hash: 7741ae9aeec12cd4cc7c7e1520e8acbd486ccd5c42e01384d1cd4eb09593b616
Instruction Fuzzy Hash: 3EE1E1B2A087049FD714DF18C85179ABBE1FB84308F14952DF99DAB392DB74D909CB82

Function 00EA1170 Relevance: 2.9, Strings: 2, Instructions: 423COMMON

Download Yara Rule

Strings

}@Ap, xrefs: 00EA159B
fCA~, xrefs: 00EA15E6

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: InitializeThunk
String ID: fCA~$}@Ap
API String ID: 2994545307-3655289039
Opcode ID: 00c7591ac9335ac0cad74b4d690c366c212ddce1a1001bb394f7a5269c5247da
Instruction ID: 0c40bbb28015c73850c291886c3e33a651cf2db4aeb42fd501c80d3638ef3154
Opcode Fuzzy Hash: 00c7591ac9335ac0cad74b4d690c366c212ddce1a1001bb394f7a5269c5247da
Instruction Fuzzy Hash: 7ED123B5A083018BD714DF18C891B6BB7E2EB99354F18596CE4C6EB391E734EC05CB92

Function 00E85BF8 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

0, xrefs: 00E861EB
8, xrefs: 00E861E3

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: e0604df92cb8a79ef1f637f116ee07255fd1f4de389e96f90f8011d7d7297fd1
Instruction ID: 0c9f9d8cb3a14990e4f1387da700d470baf48b8397461feb5c041578c95f635b
Opcode Fuzzy Hash: e0604df92cb8a79ef1f637f116ee07255fd1f4de389e96f90f8011d7d7297fd1
Instruction Fuzzy Hash: 8E0247722083409FD7219F18C884B9FBBE2BF98314F44891DF98897362D775D958DB92

Function 00E85D9D Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

0, xrefs: 00E861EB
8, xrefs: 00E861E3

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 87879d892af3ffa6779b4e7bf002e093aa90b58ed0787fcd520ff5134ee667e6
Instruction ID: d92015a45a00028d7a50b0ee323de339e98136c6ec72e44bcf537174de1c6f6e
Opcode Fuzzy Hash: 87879d892af3ffa6779b4e7bf002e093aa90b58ed0787fcd520ff5134ee667e6
Instruction Fuzzy Hash: BFB12671209380AFD7219F58C880B9EBBE1AF99314F44485DF9C897362D375D858DBA3

Function 00E860AC Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

0, xrefs: 00E861EB
8, xrefs: 00E861E3

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 1c96b9537c35fffde24d72eaf5f1441256b38159dc005c278a5ae1d72a7566a6
Instruction ID: 554aed1ab79feb9fa4fca2dbc505e5db40b76e5688b09898d1402625e6a8a6ef
Opcode Fuzzy Hash: 1c96b9537c35fffde24d72eaf5f1441256b38159dc005c278a5ae1d72a7566a6
Instruction Fuzzy Hash: BB914471208380AFD721DF58C880BAEBBE1ABD9314F44891DFAC897252D771D918CB63

Function 00EA4149 Relevance: 1.9, Strings: 1, Instructions: 635COMMON

Download Yara Rule

Strings

by, xrefs: 00EA4511

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: by
API String ID: 0-1674299033
Opcode ID: 9ac23f82fa4e0c929308fe6e3f2ea0be2aee04ddc05e55d46fc1ce1f1165063e
Instruction ID: 3279ea6e582b455fbdf307fbc6a76fcea3721500880a05a93ebde0feabf873f3
Opcode Fuzzy Hash: 9ac23f82fa4e0c929308fe6e3f2ea0be2aee04ddc05e55d46fc1ce1f1165063e
Instruction Fuzzy Hash: 0D12D3B52007118FD728CF18C8A1B62B7F2FF9A304B24565CD9969FB95E779B801CB90

Function 00EA6EB7 Relevance: 1.7, Strings: 1, Instructions: 442COMMON

Download Yara Rule

Strings

srox, xrefs: 00EA6FF6

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: srox
API String ID: 0-3003179574
Opcode ID: d75a4aee91cb6f0af5c4c574a4d59ff2ac27a19cc6292a26fbec972c38e28f66
Instruction ID: 3a4815090488639702041d15fa5ab636b9d5eb6d2524d976eab8c6b70f0fdff4
Opcode Fuzzy Hash: d75a4aee91cb6f0af5c4c574a4d59ff2ac27a19cc6292a26fbec972c38e28f66
Instruction Fuzzy Hash: 00F18A70108B818BD736CF29C8A07A3BBF1AF6A308F44495CD1E79B692D776B449CB50

Function 00EA7F8F Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

WS_L, xrefs: 00EA833C

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: WS_L
API String ID: 0-1529689294
Opcode ID: b5735d5f55fb78e7c8f4812e8fde611402fceea0d35673ff23bd44eac63ef4f9
Instruction ID: b17b829831e6ff10cedf3d46a37ed4c92bf3fbbf62f7a544e9b17e0bd052eeb1
Opcode Fuzzy Hash: b5735d5f55fb78e7c8f4812e8fde611402fceea0d35673ff23bd44eac63ef4f9
Instruction Fuzzy Hash: 6EE16B70104B418BD729CF29C590762FBE2BF5A304F28965DD4D69B792CB35F846CB90

Function 00EA6EBE Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

srox, xrefs: 00EA6FF6

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: srox
API String ID: 0-3003179574
Opcode ID: 4407b657e6011acb955dce32572ec8e001536d5c24aa43e43504fab106340450
Instruction ID: e089afa967113721ce84e0552091f5fe077b53eac22dce032d07bd1701c908a2
Opcode Fuzzy Hash: 4407b657e6011acb955dce32572ec8e001536d5c24aa43e43504fab106340450
Instruction Fuzzy Hash: 24E16C70508B908BD736CF25C4907A3BBF1AF2A308F48595CD0E79B692D77AB549CB90

Function 00EA8021 Relevance: 1.6, Strings: 1, Instructions: 393COMMON

Download Yara Rule

Strings

WS_L, xrefs: 00EA833C

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: WS_L
API String ID: 0-1529689294
Opcode ID: ee83cf5f3f2858f0079fd56f012efc3b152e04b57a88d3b72bb72da69d7d628e
Instruction ID: 52cade95071234cb7a337d0bba951fb34d3775aa7977ffdf152233adca7a0ca4
Opcode Fuzzy Hash: ee83cf5f3f2858f0079fd56f012efc3b152e04b57a88d3b72bb72da69d7d628e
Instruction Fuzzy Hash: 94D16C70104B428FD729CF29C690762FBE2BF5A304F28965DC4D69BB92CB35B845CB94

Function 00EA8075 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

WS_L, xrefs: 00EA833C

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: WS_L
API String ID: 0-1529689294
Opcode ID: a21a4565209c9b8ad7871bc9d49c4194f729e622c2a4d384361d6451f1be91a5
Instruction ID: 5cbe9bbd12cfd3ca287fdb454b5dfdae916725690ac4b89fc7c0a8cd2bd41e3e
Opcode Fuzzy Hash: a21a4565209c9b8ad7871bc9d49c4194f729e622c2a4d384361d6451f1be91a5
Instruction Fuzzy Hash: A5D17B70104B428FD729CF29C690762FBE2BF5A304F28965DC4D69BB92CB35B845CB94

Function 00E92487 Relevance: 1.6, Strings: 1, Instructions: 380COMMON

Download Yara Rule

Strings

8,, xrefs: 00E9271E

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: 8,
API String ID: 0-1688126183
Opcode ID: f7bf08cf2249894b6c472f25f4e6de2f6d6e857caf88ca37ff6d29ac0d6095a4
Instruction ID: 590473894586e8057d212aa6d28269e71ef9ad0661710c92cf4c1d1ea51df84e
Opcode Fuzzy Hash: f7bf08cf2249894b6c472f25f4e6de2f6d6e857caf88ca37ff6d29ac0d6095a4
Instruction Fuzzy Hash: 03D178706083809FDB65EF28C880BAEBBE5EF85304F44692DE5C997291D7399845CB53

Function 00EA8066 Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

WS_L, xrefs: 00EA833C

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: WS_L
API String ID: 0-1529689294
Opcode ID: cc776be3998b84f4e07f2b72921ec9ef62d85af3e4813999a519d1b2a294e654
Instruction ID: aec68879668c43200ca15efaa2371ab147188e2de9d1953cbf8c5e530b7c3ed1
Opcode Fuzzy Hash: cc776be3998b84f4e07f2b72921ec9ef62d85af3e4813999a519d1b2a294e654
Instruction Fuzzy Hash: 61C19D70104B828FD729CF29C590762FBE2BF5A304F28969DC4D69BB92C735B845CB94

Function 00E924A8 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

8,, xrefs: 00E9271E

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: 8,
API String ID: 0-1688126183
Opcode ID: bbff7603088e0efc7a6450daadf2da4d454aec0a84c9d4bbc89d2f533476bfe0
Instruction ID: e31fccfe77a120aa27358c88b0be20814e44f10a432c2013977421cd01090bbd
Opcode Fuzzy Hash: bbff7603088e0efc7a6450daadf2da4d454aec0a84c9d4bbc89d2f533476bfe0
Instruction Fuzzy Hash: E8D157706083809FDB65EF28C881BAFBBE5EF85304F44292DE5C9972A1D7399845CB53

Function 00E8436F Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

/*, xrefs: 00E8455C

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: /*
API String ID: 0-764831015
Opcode ID: 2cd913d8aec2b2734fb2ee5f3855792953d0cac4ce6463724a07330582431b12
Instruction ID: ad73947ed600ba69e0276322cb0e832cd3f9e6892280b27d875ef95fae6c1463
Opcode Fuzzy Hash: 2cd913d8aec2b2734fb2ee5f3855792953d0cac4ce6463724a07330582431b12
Instruction Fuzzy Hash: E5D126B0514B128FC368DF29C59066ABBE1FF85710B509A2ED59BABED0E735F844CB04

Function 00EA0410 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

s}, xrefs: 00EA06D2

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: s}
API String ID: 0-1555587195
Opcode ID: 4b98071e28d2aff4c0498dd63199efbee4ab02991ca00792bd7137d6df62e3a4
Instruction ID: edd5109ad52aa0df1b0c243dd50cf4c6caff871a690d833d218b31cd69c74be0
Opcode Fuzzy Hash: 4b98071e28d2aff4c0498dd63199efbee4ab02991ca00792bd7137d6df62e3a4
Instruction Fuzzy Hash: 56918AB15083019BD724DF18C89166BBBF1EFCA358F049A2CE4C5AB391E374D945CB86

Function 00EA6490 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

zzcd, xrefs: 00EA6632

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: zzcd
API String ID: 0-2024795975
Opcode ID: a64b2db0277d8d8116b64bded26556355968dedb0d411cd2200ec61f2cced391
Instruction ID: 292c466c28984af1feb551253cdb301ddaf492eb0942dcfd726e6e32a4c1ca7a
Opcode Fuzzy Hash: a64b2db0277d8d8116b64bded26556355968dedb0d411cd2200ec61f2cced391
Instruction Fuzzy Hash: 4C91DF345087808BD7298B29C050676FBF2AF9B318F286A5ED4E76F796D335E841CB14

Function 00EA67AF Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

slo{, xrefs: 00EA68E8

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: slo{
API String ID: 0-1018248694
Opcode ID: 639c1a48cd58f1789e5a7577b5550af3c274baf05d60edbbbbee3f4dcf11b0e6
Instruction ID: 7f1905edc964de42c49315f8cdc9369f7ceb9584cb3284edd4803757e7b08010
Opcode Fuzzy Hash: 639c1a48cd58f1789e5a7577b5550af3c274baf05d60edbbbbee3f4dcf11b0e6
Instruction Fuzzy Hash: 85612B70145B908AE7268F26C4A0BA3BBE1AF1B308F48599DC0E79B756C739B446CB50

Function 00EA684D Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

slo{, xrefs: 00EA68E8

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: slo{
API String ID: 0-1018248694
Opcode ID: 9d147fea3c11eb420b9be794e52d3f27bf5a7d988300f308afd8eea1595f1269
Instruction ID: 0c80880d04b9078c2be240577570442fb27ce48073f85740da0ec4d1a8a3ceba
Opcode Fuzzy Hash: 9d147fea3c11eb420b9be794e52d3f27bf5a7d988300f308afd8eea1595f1269
Instruction Fuzzy Hash: 28611D70145B908BE726CF2AC4A07A3BBE1AF5B304F48589DC0E79B756C739B545CB50

Function 00EA7D6E Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

1>7m, xrefs: 00EA7D7A

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: InitializeThunk
String ID: 1>7m
API String ID: 2994545307-3827447187
Opcode ID: da2acd39fdc1f0fdd32424eb66615eea6f9f2ed32258b9c2eab7c7764b10aac7
Instruction ID: 7eda158f1822f67886c7a1d2dd59aa38ace0fa408c3f6193a846f6181659d399
Opcode Fuzzy Hash: da2acd39fdc1f0fdd32424eb66615eea6f9f2ed32258b9c2eab7c7764b10aac7
Instruction Fuzzy Hash: DA418E742047418FD729CF29C990B22BBF2EF5A704F18999CD4D69B692C735F806CB64

Function 00EA1F23 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

}s, xrefs: 00EA1F63

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: }s
API String ID: 0-2525031176
Opcode ID: 1e883fa51d4ac941e8f87a2d0ffe2231d0c4e18c71a64b79304a453846da8c28
Instruction ID: 2d843af61a3866c50ee387b24b501505889bea3bb19e31f4b1ff15ae05b87e8e
Opcode Fuzzy Hash: 1e883fa51d4ac941e8f87a2d0ffe2231d0c4e18c71a64b79304a453846da8c28
Instruction Fuzzy Hash: 824188B05042018BC724CF18C861722B7F2FF9A318F299A9CD4869F796E375E843CB84

Function 00E9E033 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

e1c, xrefs: 00E9E0BB

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: e1c
API String ID: 0-2007318509
Opcode ID: cf78d1ba67b7c8aebe1b86a086aaa4718ba748b29cf34b8f8e1599e51f3a323f
Instruction ID: 0066780609863a8d847da5e17b13867ee1e8d45b41568a72b7c364dd2b42b1ee
Opcode Fuzzy Hash: cf78d1ba67b7c8aebe1b86a086aaa4718ba748b29cf34b8f8e1599e51f3a323f
Instruction Fuzzy Hash: 73410BB0108380AFD704DF19C881B2ABBE1EB95748F249E2CE1D59B361D775C846CF46

Function 00E91FEF Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

D>, xrefs: 00E92007

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID: D>
API String ID: 0-261516509
Opcode ID: 4a9df98eddecf21fdcbcfb8280d1d36d9f081d05925678d5c1caea212a1d8057
Instruction ID: 03fef745fc6488d22e69a9874f8fee7082c717b6d198fc6777d0fbb8cdb467df
Opcode Fuzzy Hash: 4a9df98eddecf21fdcbcfb8280d1d36d9f081d05925678d5c1caea212a1d8057
Instruction Fuzzy Hash: EAD05E78A092008BC745AA00FC1297AF2B15B82300F083439E85AE3261CA22D806C605

Function 00E88210 Relevance: .8, Instructions: 774COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dad4efee47b3c792327815125dea94a364233b9e0e015133cfadaa3c9ce2aba
Instruction ID: 1ab51cdc33a1daefb75aded8d17f893301af8d25663c2b63465d9cb368213467
Opcode Fuzzy Hash: 9dad4efee47b3c792327815125dea94a364233b9e0e015133cfadaa3c9ce2aba
Instruction Fuzzy Hash: 093218716087118BC724EF18C9802BBB3E1FFD4315FA9992DD9CEA7285EB34A851C746

Function 00EB5070 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df5d4cbe5480aeeb5d43827f0a74f70c6df5b664f61ee096cf407ecdc664569
Instruction ID: 93e5028e6e912169545fc66d2d77d407cf83f796a6c1555831e13f0d523f89ec
Opcode Fuzzy Hash: 8df5d4cbe5480aeeb5d43827f0a74f70c6df5b664f61ee096cf407ecdc664569
Instruction Fuzzy Hash: 4432CD766087419FC714CF18C880B5BBBE1FBC4318F589A6DE8999B291D735EC45CB82

Function 00E978AF Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a06cd7a50e480f2fd3644927c7b415490564ba6db03c6e0a7441d1c82f81653
Instruction ID: 78700cbca0e302f6f8fe8d5d71997ea4914ff1f7f167ab03275dbf2eac9374f5
Opcode Fuzzy Hash: 3a06cd7a50e480f2fd3644927c7b415490564ba6db03c6e0a7441d1c82f81653
Instruction Fuzzy Hash: A012BB715183118BCB18CF18C8A076BB7F2EFD5718F149A1CE8DA6B391E3749949CB82

Function 00E865C0 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c79aeeb4bf2962c5c3d064dd8e9c1b27f6cbf5e8afc5f35450cb73ecbc114e
Instruction ID: 549ed4b466244486333418e390250e207dbfde1f3e20b7ea1f4fa2e5ecf6177b
Opcode Fuzzy Hash: 83c79aeeb4bf2962c5c3d064dd8e9c1b27f6cbf5e8afc5f35450cb73ecbc114e
Instruction Fuzzy Hash: 6A02E331608340CFC718DF28C48166ABBE1EF98304F58996DF99DAB392D771D805CB92

Function 00E96D24 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0573986c0fe1e2557bc529d1eaf6dd1172f7fb588a36bb2163aaa4659fe37bd1
Instruction ID: 7b2097f3d2fa2a06cc789a6d40195227368e7514b54346f83ec53d8a04088b23
Opcode Fuzzy Hash: 0573986c0fe1e2557bc529d1eaf6dd1172f7fb588a36bb2163aaa4659fe37bd1
Instruction Fuzzy Hash: E9C155B55483408BDB14CF18D880A9FBBE1EF95398F54991DF8C89B362D334D989CB86

Function 00E97864 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41af3700b732e2d32a05a8c54ae5ed99fc927a8907ab78a55e749edb3bcf266
Instruction ID: 0c5def3d90e2c8945499828d042225a2131b0bf1aeaea7ed2b9b09fa56c0f224
Opcode Fuzzy Hash: f41af3700b732e2d32a05a8c54ae5ed99fc927a8907ab78a55e749edb3bcf266
Instruction Fuzzy Hash: C9A189715183118BCB28CF18C8A076BB7F1EF85758F149A1CE8DA6B391E7749D49CB82

Function 00EBA410 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1a7922bdce93d2563d039a70869f0a97c9d249153c1b80c0af1802eb6d3d67
Instruction ID: 5f4e30805739e02a68754100c0a34274f24c7b069b42eed92be07d9eb2742902
Opcode Fuzzy Hash: 7b1a7922bdce93d2563d039a70869f0a97c9d249153c1b80c0af1802eb6d3d67
Instruction Fuzzy Hash: 379193716053029FCB24CF19C890AABB7F2FF84714F19956CE885AB251E730DD55CB92

Function 00EBA730 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c75e70359b8d0875d99dac8e65c52b2f57cf5410f505f1b8391c2724ec89ee
Instruction ID: 9935a9938feb6de6ff3c909c342f9471996dee5fe1cc9f92a344b1eb61d82cfe
Opcode Fuzzy Hash: e3c75e70359b8d0875d99dac8e65c52b2f57cf5410f505f1b8391c2724ec89ee
Instruction Fuzzy Hash: D5A1C072A083129BCB15CF18D8806ABB7E2FF88714F19992CE9D5A7351D731EC51CB92

Function 00E9C870 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5f5414ce292a53184b31e1311154b0a7e93979e9fe6e79e2d02323025c4de6
Instruction ID: b7e4e2b69541a260c1983240b12e4b034fb51b9d4ef8d6f4a87fda28bda2628c
Opcode Fuzzy Hash: 9c5f5414ce292a53184b31e1311154b0a7e93979e9fe6e79e2d02323025c4de6
Instruction Fuzzy Hash: 259129B56043119BDB18EF18CC91BABB3E5FF84318F18552CF986A7281E774E901C792

Function 00EA48DF Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f910bf2a6c151de857ff6669ee13a497de501085b0fa4551315b95f813cc69a0
Instruction ID: 10ed93521d21d235d2c1dc063cb4238408a1e310c9ee4eae504e898f8cbf5366
Opcode Fuzzy Hash: f910bf2a6c151de857ff6669ee13a497de501085b0fa4551315b95f813cc69a0
Instruction Fuzzy Hash: 8271BCB52043108FC729CF28C8A0A63B7F2FF9A314B15495DC8D69F7A6DB75A805CB90

Function 00E93737 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d226ef02b08b46a8f3098081bf8a7eb4ea944671f5aec9448364783cf5645902
Instruction ID: 67540f35aefae7b3c587249857262a3b8667a03591e1e9e412718e6c77279de9
Opcode Fuzzy Hash: d226ef02b08b46a8f3098081bf8a7eb4ea944671f5aec9448364783cf5645902
Instruction Fuzzy Hash: 3E51A4756083918BD728CF24C4907ABB3E2FFC5328F19992CE4DA5B381DB749945CB86

Function 00EB1DC0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb0370c9591b2dda7ee638cfa83628f066fcf06faf596b5bbf642c656220fed
Instruction ID: 31223a944efe602533ce29b21483a82d35b4a4226e5510b06e6c922f70af97dd
Opcode Fuzzy Hash: 4bb0370c9591b2dda7ee638cfa83628f066fcf06faf596b5bbf642c656220fed
Instruction Fuzzy Hash: 83619CB15087048FE314DF29D8A43ABBBE1AB84318F04892DE5E687390D775DA08CF82

Function 00E9394D Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b7cad896cc9c6cd066c2cb208e148ecb52771654487ebb3da9529df6f5e88c
Instruction ID: f870cbede7ac984e91168cca30db08acbcd45fa40e09ea3282305d04ca0296f6
Opcode Fuzzy Hash: 08b7cad896cc9c6cd066c2cb208e148ecb52771654487ebb3da9529df6f5e88c
Instruction Fuzzy Hash: 495191756083418BD728CF19C8907ABB3E2FFC5328F19992CE4D95B381DB749945CB86

Function 00E83430 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6eddaa78e8204bd80621a3726be6f2ddae0100b8a4110f86262e8cddb92d64d
Instruction ID: 615fe95a4620b7afa90cb13da52ef0ca5f64c6a7df969e5b83fdaaac993f57c3
Opcode Fuzzy Hash: d6eddaa78e8204bd80621a3726be6f2ddae0100b8a4110f86262e8cddb92d64d
Instruction Fuzzy Hash: 9641C432B081654BCB189A3DCC5027ABAD39FC5648F1ED539E8CDEB786E534D90093D4

Function 00E95510 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2e7c75917adee71637c1a773c0df819a64426b61f5d8981bfe3b22f4ffe6cb
Instruction ID: 1470da9d5fefed981c051554ac1501f3aa8655872421b8551fc480998007b522
Opcode Fuzzy Hash: 8c2e7c75917adee71637c1a773c0df819a64426b61f5d8981bfe3b22f4ffe6cb
Instruction Fuzzy Hash: E2415BB39087048BCB22AF54C880777B7E9EF52318F5A6569E88D67293EB71DC04C351

Function 00E8EE60 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e1a8092221a87039b6dc645e6517e85d3ec095e13d7040809745a20dd094b3
Instruction ID: 8073af8d25038687c8a4c5fb3dd8956bd5b40a9d3526e9ddcac72bb7f4c3d2b8
Opcode Fuzzy Hash: d8e1a8092221a87039b6dc645e6517e85d3ec095e13d7040809745a20dd094b3
Instruction Fuzzy Hash: 6841E17270C2604FE308DA3AC45476ABBD2AFC9350F198A2EF0DD877D5D6388945EB51

Function 00E95F09 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c045a70e5f0107ed7f34553b7663974d22f4e4dfdddd1914720ec0ec0eb917bc
Instruction ID: 156d0ab494ef13c6b6529f61d45aaf7fc2634c32a1f5a48df7f5f4fe71200a7a
Opcode Fuzzy Hash: c045a70e5f0107ed7f34553b7663974d22f4e4dfdddd1914720ec0ec0eb917bc
Instruction Fuzzy Hash: 3D41A9752083518FC724CF18C4A1B6BB3F1EFC6314F049A1DE896AB291E7799906CB92

Function 00EA7731 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8213815d06bb03da3631bf907528b364239abdefbf8c8edc567f674d91b2d71a
Instruction ID: b30c82c18b925e717160a355dba8e472c8bfae035e342dfcd7ca8c986a1eb38f
Opcode Fuzzy Hash: 8213815d06bb03da3631bf907528b364239abdefbf8c8edc567f674d91b2d71a
Instruction Fuzzy Hash: 1F31BE34108B528BD72CCF16C8E4622BBF2EF97305B18995DC5E30BBA6C635B845CB84

Function 00E9F580 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f517b90154633d8211b74b8634f04e7598053b121eae01471b33d3af2c4a2ff
Instruction ID: 9e222b054abb62bb4a6ca4ae3714d0c3d681a72d27b08c298e3c6019d96eb012
Opcode Fuzzy Hash: 2f517b90154633d8211b74b8634f04e7598053b121eae01471b33d3af2c4a2ff
Instruction Fuzzy Hash: A8212F352083819FDB28EF15C890BBAB3E3FBC5314F195A6CD5DD67692C73168058B91

Function 00E93C08 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2357652fc7d8bfa9f65ce62146da6f3c2663d9a21049eb63a412019347533ab6
Instruction ID: a5b52848b3adaf7290639d211e5fe5fc1405e27137fc8437cb35c37dba3c53b1
Opcode Fuzzy Hash: 2357652fc7d8bfa9f65ce62146da6f3c2663d9a21049eb63a412019347533ab6
Instruction Fuzzy Hash: 99115E356083108FDB28CF24C4916AAF7E6EFCD328F1A692DD4C9B7351E734A9418B55

Function 00EB8494 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37071e649e76b4835ba3886bd6662782662ba5c517621aef609640bd6c67cdcd
Instruction ID: f2a8c4563bf86e9f37860895ce1f43f6529323e2c4937456c2e62ffcccb9299b
Opcode Fuzzy Hash: 37071e649e76b4835ba3886bd6662782662ba5c517621aef609640bd6c67cdcd
Instruction Fuzzy Hash: 1221F675215B008FD320CF15C694703BBA3EBDA718F29C96CC5AA1BB59C376E8078B80

Function 00EB8600 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02c027b12e39f8fbd949a90471b7f81c73cd850681345e8fa7de63032de86af
Instruction ID: 5273275d77df07e04defe10445a226830561a442db4c77aac80e16328205f5ed
Opcode Fuzzy Hash: d02c027b12e39f8fbd949a90471b7f81c73cd850681345e8fa7de63032de86af
Instruction Fuzzy Hash: EF21E575A01A008FD328CF19C5A1623B7F6EF89314F14C65CD8A64B7D9D730A815CBC5

Function 00E871A2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6259205c0c07459dc2a62cbee40b8fea04cdd1d17269642e5404a21918aad97a
Instruction ID: dc088893a8e2636dad987ae95f604f37580c9e831f51698e1e42e988d3d8dc8d
Opcode Fuzzy Hash: 6259205c0c07459dc2a62cbee40b8fea04cdd1d17269642e5404a21918aad97a
Instruction Fuzzy Hash: 5E0189A1A5DB140AC325DDA098E427ABA63EBD6314FAC526CC6EF932E3D661D519C300

Function 00EA77A1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f490cb8fd506112c139f442f86718d7986b1c10b23f60bafe3d52c99dee3746
Instruction ID: 78c69a300440ae474bf0ec33fae2e445472810cb6ac73219d5753a2deb1c5004
Opcode Fuzzy Hash: 6f490cb8fd506112c139f442f86718d7986b1c10b23f60bafe3d52c99dee3746
Instruction Fuzzy Hash: 7A218B34104B518BDB28CF16C4E0726BBF2EF9B319B18A94DC5D31BA96C739B405CB44

Function 00EAFF40 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction ID: a38f1d778e3f4057b11d1739dec044f83053c7d0f13a4fd02e132ec55ff9033e
Opcode Fuzzy Hash: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction Fuzzy Hash: C81129377091E50EC3128E7C88005A5BFA30A97238F1953A9F4B8AF2D6C6229D8B8350

Function 00EA5580 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a644661a4e5abe859417051fff18ff8f17532f572549462d98e5231b5c783274
Instruction ID: 24a7a0139cb3033686f9cab774e6e6919e3891469bf81eaccfd8847eb4823d1b
Opcode Fuzzy Hash: a644661a4e5abe859417051fff18ff8f17532f572549462d98e5231b5c783274
Instruction Fuzzy Hash: F10175F6A00B0197D720AE54A5D1727B2EA6F8A708F59692DD8086F201EB75FC05C791

Function 00E8CCB0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 946efc96d933687b7ec883640d7b21800bf760201218de58eae2b0d09c40f071
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 02D0A7615487A10E57598D3814E0477FBE8E947626B28249EE4DDF3105D230DC0197A8

Function 00EB94A9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb46a62c7e24d9387a6d4e439171ccac7aa47d4a9bfa07efddff81907ea6c259
Instruction ID: 7d26629b3cd68f5396bf8b092215800dfcbed7285356d1b522b570d6359ee636
Opcode Fuzzy Hash: bb46a62c7e24d9387a6d4e439171ccac7aa47d4a9bfa07efddff81907ea6c259
Instruction Fuzzy Hash: 43D0A732A444108FC358CF19C800936B3F6BFCD201386105DD0929B762EB34D204C254

Function 00EB76C4 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7d6df8bbfbd989e30777f26423c92a89664f58ab54939dcad47fa85eb00c94
Instruction ID: 47cdc57d6af4d88142e85aa0c8dcbf0306c5da44c10fe866bbf90d663fc2a5fb
Opcode Fuzzy Hash: fd7d6df8bbfbd989e30777f26423c92a89664f58ab54939dcad47fa85eb00c94
Instruction Fuzzy Hash: 14C08CB1BA20424F93088A09E872C727332E783021B14B22D8433336EAC4269107454C

Function 00E8E5C7 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6927de363cad90842903dfa6c3476182c71220c9759d287077fbd08114a93b
Instruction ID: f510473a3b8159edd6b03965cec76d53a5a891001e03d6d0e28809efa26f29ed
Opcode Fuzzy Hash: ba6927de363cad90842903dfa6c3476182c71220c9759d287077fbd08114a93b
Instruction Fuzzy Hash: F5C09B74B442004BC608CE05DC51477637953876117147538D402F3761C514D4068504

Function 00EB5D98 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a06dbae5731b22a5af71c749173cb23a4a33ce82a9caa6a52354d2bbba1ae6
Instruction ID: a1edf1fc81a4b2dc5e2f53a7ec66fb0ca7abf0f1900e77f34ace101bde72c614
Opcode Fuzzy Hash: 33a06dbae5731b22a5af71c749173cb23a4a33ce82a9caa6a52354d2bbba1ae6
Instruction Fuzzy Hash: 16B092B8A5C080CF924CCF02E8A0836B27AE787214B15B12A81063329EC23294078A4C

Function 00E9E1AF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fb567555a7f1d2431e8f06e634e797076a1683374cfece3f651e8d02b3755c
Instruction ID: b876e276b2b7a376f57585e2f91ef815e9d25d060f2b6f70ed6846cca7e853b8
Opcode Fuzzy Hash: 30fb567555a7f1d2431e8f06e634e797076a1683374cfece3f651e8d02b3755c
Instruction Fuzzy Hash: 3EA024D4C04000C7C300DD047431430F1744347101F403430D40CF3303D511D415430D

Function 00E9D7DE Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85cfd76783c087c23a198e56e33ed054bff0c33121c60fae58baf736877d008
Instruction ID: 5e6387758b0e6fdfc1665fa40b2a92a7cbc2c5d03681530b8617f4b9150c58b6
Opcode Fuzzy Hash: f85cfd76783c087c23a198e56e33ed054bff0c33121c60fae58baf736877d008
Instruction Fuzzy Hash: FEA011B0E0C0008ACB088E008A028B8E238038B202A20B2A8800A33202A220C002820C

Function 00E9D84F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3902e4244f7b7bbc78cbd32d4aa57bb346cc8c75f42b6b4c27bae05219f5ea07
Instruction ID: 622d7b32a8f76fff71453c8759cb74d7396b9f0dc21a251981051feaddebcb0a
Opcode Fuzzy Hash: 3902e4244f7b7bbc78cbd32d4aa57bb346cc8c75f42b6b4c27bae05219f5ea07
Instruction Fuzzy Hash: A6B00279A481009FC244CE01D590875F376E7CF215F25E5599C59273568632E807CA49

Function 00E81787 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d48dc5cdc7b829b183b2079b7098ddb4b03d3b820891215619688df4f28f58
Instruction ID: 01ef58b30afcc6e3a144c11cb1b8012362a99142c3fb77b51beb4151f7615038
Opcode Fuzzy Hash: 46d48dc5cdc7b829b183b2079b7098ddb4b03d3b820891215619688df4f28f58
Instruction Fuzzy Hash: 5C900220D491058A81408E0595444B1E278538B101F503540D008F3112C210E408451D

Function 00EA99F2 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 227COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00EA99FC

Strings

[, xrefs: 00EA9B9E
], xrefs: 00EA9BAE
O, xrefs: 00EA9B96
J, xrefs: 00EA9B86
P, xrefs: 00EA9BA6
V, xrefs: 00EA9B8E

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: String
String ID: J$O$P$V$[$]
API String ID: 2568140703-3337704060
Opcode ID: e06df139b7fac4a3a853f461a563586bd6aa02573b99ebba0b3b004a619751df
Instruction ID: 968bd5b5e50c6eb546bf9c6f9ea5d9ee19407239a1d7ff36e34d61e4919efff6
Opcode Fuzzy Hash: e06df139b7fac4a3a853f461a563586bd6aa02573b99ebba0b3b004a619751df
Instruction Fuzzy Hash: F291A5716097818FC735DF28C8917DABBE1BBDA310F184A6DD4E98B3C2D6359845CB42

Function 00EADE90 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(00000000,00000007), ref: 00EADEBF
GetObjectW.GDI32(00000000,00000018,?), ref: 00EADECF
DeleteObject.GDI32(00000000), ref: 00EADEE6
SelectObject.GDI32(00000000,00000000), ref: 00EADF07
SelectObject.GDI32(00000000,00000000), ref: 00EADF32
DeleteDC.GDI32(00000000), ref: 00EADF39
DeleteObject.GDI32(00000000), ref: 00EADF4D

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: Object$Delete$Select$Current
String ID:
API String ID: 932865934-0
Opcode ID: ee1043b8829d9b3744de5ec44bb451515738dd441ffa726adb4be7b7450bcc21
Instruction ID: e479a4cf09b3d853b62fab99b2dea6995334f9b0fdbf5c048bd91be4c886bcd1
Opcode Fuzzy Hash: ee1043b8829d9b3744de5ec44bb451515738dd441ffa726adb4be7b7450bcc21
Instruction Fuzzy Hash: C5215075108304BFD3056FA69C09F2F7BF8EF89712F000619FA45A21A0E7749909CFA6

Function 00E90775 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00E9077B
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00E90787

Strings

Rn!_, xrefs: 00E90792

Memory Dump Source

Source File: 00000000.00000002.1690787182.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e81000_8yprhxqBVs.jbxd

Similarity

API ID: DirectorySystem
String ID: Rn!_
API String ID: 2188284642-1967302553
Opcode ID: 7807a2612dca921a0c82630d74c195ff19dbb9bf59a101253d2a5c115e107ab2
Instruction ID: 4e36eec94837f0795a6d5d5c57f4d9b4cdbaf0f21b3a08a23713bbef1c4a161b
Opcode Fuzzy Hash: 7807a2612dca921a0c82630d74c195ff19dbb9bf59a101253d2a5c115e107ab2
Instruction Fuzzy Hash: C4D012F52441109FC208CB15EC45D9B371CFF05755B004236F647F22A0DA7011058A14

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8yprhxqBVs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Windows Analysis Report
8yprhxqBVs.exe

Function 00EB4700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
memoryCOMMON

Function 00EB6B90 Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Function 00E890E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
COMMON

Function 00E8A1B0 Relevance: 1.8, APIs: 1, Instructions: 325
libraryCOMMON

Function 00EB4660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 00EB6A30 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON