Edit tour

Windows Analysis Report
tGm4SuP0sz.exe

Overview

General Information

Sample name:	tGm4SuP0sz.exe renamed because original name is a hash value
Original sample name:	42dcacc7a076e1496d9650cf3fed897e3267577cf23fa47cf8591e508984cbbc.exe
Analysis ID:	1465359
MD5:	cabeb02d14a76418addc20a3943681c8
SHA1:	7a059897e5f686c9421c772e88d60ab5239b22d2
SHA256:	42dcacc7a076e1496d9650cf3fed897e3267577cf23fa47cf8591e508984cbbc
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

tGm4SuP0sz.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\tGm4SuP0sz.exe" MD5: CABEB02D14A76418ADDC20A3943681C8)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 7440 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "employeedscratshj.shop"], "Build id": "HpOoIh--@MoneyPayin"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Snort Signatures

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-15:56:54.800033
SID:	2053670
Source Port:	56366
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-15:56:54.063241
SID:	2053682
Source Port:	55154
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-15:56:54.580427
SID:	2053678
Source Port:	57904
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-15:56:54.811680
SID:	2053668
Source Port:	61148
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-15:56:54.696934
SID:	2053672
Source Port:	55221
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-15:56:54.683572
SID:	2053674
Source Port:	52482
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-15:56:54.563142
SID:	2053680
Source Port:	50222
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop) - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-15:56:54.595520
SID:	2053676
Source Port:	49552
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://falseaudiencekd.shop/api	Avira URL Cloud: Label: malware
Source: https://feighminoritsjda.shop/api1	Avira URL Cloud: Label: malware
Source: employeedscratshj.shop	Avira URL Cloud: Label: malware
Source: marathonbeedksow.shop	Avira URL Cloud: Label: malware
Source: https://employeedscratshj.shop/api	Avira URL Cloud: Label: malware
Source: https://pleasurenarrowsdla.shop/api?	Avira URL Cloud: Label: malware
Source: feighminoritsjda.shop	Avira URL Cloud: Label: malware
Source: https://richardflorespoew.shop/api	Avira URL Cloud: Label: malware
Source: https://strwawrunnygjwu.shop/api	Avira URL Cloud: Label: malware
Source: https://feighminoritsjda.shop/apiK	Avira URL Cloud: Label: malware
Source: https://justifycanddidatewd.shop/api	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9.dll

Avira: detection malicious, Label: HEUR/AGEN.1301971

Found malware configuration

Source: 0.2.tGm4SuP0sz.exe.6d36f000.2.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "employeedscratshj.shop"], "Build id": "HpOoIh--@MoneyPayin"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9.dll

ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Source: tGm4SuP0sz.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: tGm4SuP0sz.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: richardflorespoew.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: strwawrunnygjwu.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: justifycanddidatewd.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: raiseboltskdlwpow.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: falseaudiencekd.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: pleasurenarrowsdla.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: feighminoritsjda.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: marathonbeedksow.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: employeedscratshj.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp	String decryptor: HpOoIh--@MoneyPayin

Source: tGm4SuP0sz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tGm4SuP0sz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Code function: 0_2_6D360B78 FindFirstFileExW,

0_2_6D360B78

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_6D378530
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_6D390D8C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000230h]	0_2_6D381D80
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_6D383DF8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_6D3A3DE0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_6D3A3DE0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then add ebx, 02h	0_2_6D383C39
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_6D38D470
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then jmp eax	0_2_6D38FC57
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, ecx	0_2_6D391CE1
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then cmp byte ptr [ecx+eax], 00000000h	0_2_6D37ECE8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov dword ptr [esp+00000A98h], 00000000h	0_2_6D37ECE8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000230h]	0_2_6D37E724
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_6D384F2B
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_6D37B700
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_6D3A7F60
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then cmp byte ptr [ebx+esi], 00000000h	0_2_6D39079B
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_6D3A37F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then xor eax, eax	0_2_6D38F61A
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then xor eax, eax	0_2_6D38F53A
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_6D3A8130
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_6D371160
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	0_2_6D383190
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_6D3939D8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [004401D8h]	0_2_6D38081C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [004401D8h]	0_2_6D38281B
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [004401D8h]	0_2_6D38081C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	0_2_6D392070
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [004401D8h]	0_2_6D38081C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000D8h]	0_2_6D37F889
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_6D3910F7
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_6D3780D0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_6D390310
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_6D392300
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	0_2_6D37F3A5
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then cmp word ptr [eax], 0000h	0_2_6D381399
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000888h]	0_2_6D38C38A
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000888h]	0_2_6D38C3F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then push esi	0_2_6D3863D3
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov dword ptr [esp+00000A98h], 00000000h	0_2_6D3823C0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov edi, ecx	0_2_6D385A1E
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_6D392A70
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then jmp eax	0_2_6D38FABE
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 0850A6E6h	0_2_6D3A82F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 4x nop then mov ecx, edi	0_2_6D375900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], B67AF9EBh	3_2_004377D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00421857
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add ebx, 02h	3_2_00415822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edx], cx	3_2_00415822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, dx	3_2_004280C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], B67AF9EBh	3_2_004378CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, ecx	3_2_004238E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [ecx+eax], 00000000h	3_2_004108E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+00000A98h], 00000000h	3_2_004108E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [eax], 00000000h	3_2_00438950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00438950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test edi, edi	3_2_00438950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00431120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_0040A130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_004359E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_004359E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test edi, edi	3_2_004391F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000230h]	3_2_00413980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [ebx+esi], 00000000h	3_2_004221B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [eax], 00000000h	3_2_00438AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00438AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test edi, edi	3_2_00438AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_00439B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0040D300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, dword ptr [esi]	3_2_00438305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_00421B22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000230h]	3_2_00410324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00416B2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, ecx	3_2_00416B2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [eax], 00000000h	3_2_00438BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00438BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test edi, edi	3_2_00438BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_004353F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [004401D8h]	3_2_0041241C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	3_2_00423C77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [004401D8h]	3_2_0041441B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [004401D8h]	3_2_0041241C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [004401D8h]	3_2_0041241C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00421439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_00409CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	3_2_00422CF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000D8h]	3_2_00411489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	3_2_00402D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [eax], 00000000h	3_2_00438500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00438500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test edi, edi	3_2_00438500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_00439D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then xor eax, eax	3_2_00420DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_004255D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	3_2_00426DF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	3_2_00414D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, dword ptr [esi]	3_2_004365B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then xor eax, eax	3_2_00420E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00424670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	3_2_00423E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	3_2_00423E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [eax], 00000000h	3_2_004386D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_004386D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test edi, edi	3_2_004386D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 0850A6E6h	3_2_00439EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, dx	3_2_00427F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, ecx	3_2_00427F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push esi	3_2_00417F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00438F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test edi, edi	3_2_00438F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+00000A98h], 00000000h	3_2_00413FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], B67AF9EBh	3_2_004377D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000888h]	3_2_0041DFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0041EFFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000888h]	3_2_0041DF8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [eax], 0000h	3_2_00412F99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	3_2_00410FA5

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2053682 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop) 192.168.2.8:55154 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053680 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop) 192.168.2.8:50222 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053678 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop) 192.168.2.8:57904 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053676 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop) 192.168.2.8:49552 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053674 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop) 192.168.2.8:52482 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053672 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop) 192.168.2.8:55221 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053670 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop) 192.168.2.8:56366 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053668 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop) 192.168.2.8:61148 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: richardflorespoew.shop
Source: Malware configuration extractor	URLs: strwawrunnygjwu.shop
Source: Malware configuration extractor	URLs: justifycanddidatewd.shop
Source: Malware configuration extractor	URLs: raiseboltskdlwpow.shop
Source: Malware configuration extractor	URLs: falseaudiencekd.shop
Source: Malware configuration extractor	URLs: pleasurenarrowsdla.shop
Source: Malware configuration extractor	URLs: feighminoritsjda.shop
Source: Malware configuration extractor	URLs: marathonbeedksow.shop
Source: Malware configuration extractor	URLs: employeedscratshj.shop

Source: unknown	DNS traffic detected: query: feighminoritsjda.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: justifycanddidatewd.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: employeedscratshj.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: falseaudiencekd.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasurenarrowsdla.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: richardflorespoew.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: marathonbeedksow.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: strwawrunnygjwu.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: raiseboltskdlwpow.shop replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: employeedscratshj.shop
Source: global traffic	DNS traffic detected: DNS query: marathonbeedksow.shop
Source: global traffic	DNS traffic detected: DNS query: feighminoritsjda.shop
Source: global traffic	DNS traffic detected: DNS query: pleasurenarrowsdla.shop
Source: global traffic	DNS traffic detected: DNS query: falseaudiencekd.shop
Source: global traffic	DNS traffic detected: DNS query: raiseboltskdlwpow.shop
Source: global traffic	DNS traffic detected: DNS query: justifycanddidatewd.shop
Source: global traffic	DNS traffic detected: DNS query: strwawrunnygjwu.shop
Source: global traffic	DNS traffic detected: DNS query: richardflorespoew.shop

Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employeedscratshj.shop/api
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://falseaudiencekd.shop/api
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://feighminoritsjda.shop/api1
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://feighminoritsjda.shop/apiK
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://justifycanddidatewd.shop/
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://justifycanddidatewd.shop/api
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pleasurenarrowsdla.shop/
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pleasurenarrowsdla.shop/api?
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raiseboltskdlwpow.shop/B
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/0
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/api
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/api7
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/apii
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/apiy
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/g
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strwawrunnygjwu.shop//l
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strwawrunnygjwu.shop/api

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_0042E490 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_0042E490

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_0042E490 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_0042E490

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_0042F0D2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

3_2_0042F0D2

System Summary

PE file contains section with special chars

Source: tGm4SuP0sz.exe

Static PE information: section name: .$D$

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Code function: 0_2_6D3530C0 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,

0_2_6D3530C0

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D3535D0	0_2_6D3535D0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D3530C0	0_2_6D3530C0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D3513F0	0_2_6D3513F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D367125	0_2_6D367125
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D351010	0_2_6D351010
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D35B700	0_2_6D35B700
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D375530	0_2_6D375530
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D392DC0	0_2_6D392DC0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D37E410	0_2_6D37E410
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D372CE0	0_2_6D372CE0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D374F20	0_2_6D374F20
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D373710	0_2_6D373710
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D39079B	0_2_6D39079B
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D3A86F0	0_2_6D3A86F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D374190	0_2_6D374190
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D3939D8	0_2_6D3939D8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D3769C0	0_2_6D3769C0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D38EB00	0_2_6D38EB00
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D38539C	0_2_6D38539C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D3A8A10	0_2_6D3A8A10
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D372250	0_2_6D372250
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D375900	0_2_6D375900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00410010	3_2_00410010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004280C7	3_2_004280C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004048E0	3_2_004048E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00420092	3_2_00420092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00438950	3_2_00438950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00407130	3_2_00407130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004249C0	3_2_004249C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004221B9	3_2_004221B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0043A2F0	3_2_0043A2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00438AB0	3_2_00438AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00405310	3_2_00405310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00406B20	3_2_00406B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00421B22	3_2_00421B22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00438BD0	3_2_00438BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00420410	3_2_00420410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00421439	3_2_00421439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00438500	3_2_00438500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004085C0	3_2_004085C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00420DD0	3_2_00420DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004255D8	3_2_004255D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00405D90	3_2_00405D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0041FDA0	3_2_0041FDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00420E4E	3_2_00420E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00403E50	3_2_00403E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0042A652	3_2_0042A652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0043A610	3_2_0043A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00401EC0	3_2_00401EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004386D0	3_2_004386D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00432F50	3_2_00432F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00416F76	3_2_00416F76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00420700	3_2_00420700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00427F13	3_2_00427F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00438F30	3_2_00438F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0041C7EE	3_2_0041C7EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0041EFFD	3_2_0041EFFD

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: String function: 6D37E5C0 appears 51 times
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: String function: 6D377470 appears 70 times
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: String function: 6D35C6A0 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 004101C0 appears 162 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 00409070 appears 41 times

Source: tGm4SuP0sz.exe, 00000000.00000002.1389292619.00000000015DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs tGm4SuP0sz.exe
Source: tGm4SuP0sz.exe, 00000000.00000000.1385888334.000000000101C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNovaEdge31599575803.exeT vs tGm4SuP0sz.exe
Source: tGm4SuP0sz.exe	Binary or memory string: OriginalFilenameNovaEdge31599575803.exeT vs tGm4SuP0sz.exe

Source: tGm4SuP0sz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tGm4SuP0sz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/2@9/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_0042B109 CoCreateInstance,

3_2_0042B109

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

File created: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to behavior

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03

Source: tGm4SuP0sz.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tGm4SuP0sz.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\tGm4SuP0sz.exe "C:\Users\user\Desktop\tGm4SuP0sz.exe"
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior

Source: tGm4SuP0sz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tGm4SuP0sz.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: tGm4SuP0sz.exe

Static file information: File size 1609728 > 1048576

Source: tGm4SuP0sz.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14b200

Source: tGm4SuP0sz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: tGm4SuP0sz.exe

Static PE information: section name: .$D$

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Code function: 0_2_6D367854 push ecx; ret

0_2_6D367867

Source: tGm4SuP0sz.exe

Static PE information: section name: .text entropy: 7.956028266051775

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

File created: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to dropped file

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

API coverage: 7.8 %

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7460	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7472	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Code function: 0_2_6D360B78 FindFirstFileExW,

0_2_6D360B78

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_00436A70 LdrInitializeThunk,

3_2_00436A70

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Code function: 0_2_6D35C52A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D35C52A

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Code function: 0_2_6D36229E GetProcessHeap,

0_2_6D36229E

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D35C52A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D35C52A
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D35C051 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D35C051
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Code function: 0_2_6D3604C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D3604C7

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Code function: 0_2_6D3535D0 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,

0_2_6D3535D0

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: tGm4SuP0sz.exe	String found in binary or memory: richardflorespoew.shop
Source: tGm4SuP0sz.exe	String found in binary or memory: strwawrunnygjwu.shop
Source: tGm4SuP0sz.exe	String found in binary or memory: falseaudiencekd.shop
Source: tGm4SuP0sz.exe	String found in binary or memory: pleasurenarrowsdla.shop
Source: tGm4SuP0sz.exe	String found in binary or memory: justifycanddidatewd.shop
Source: tGm4SuP0sz.exe	String found in binary or memory: raiseboltskdlwpow.shop
Source: tGm4SuP0sz.exe	String found in binary or memory: employeedscratshj.shop
Source: tGm4SuP0sz.exe	String found in binary or memory: feighminoritsjda.shop
Source: tGm4SuP0sz.exe	String found in binary or memory: marathonbeedksow.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 43B000	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 790008	Jump to behavior

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Code function: 0_2_6D35C6E8 cpuid

0_2_6D35C6E8

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Queries volume information: C:\Users\user\Desktop\tGm4SuP0sz.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\tGm4SuP0sz.exe

Code function: 0_2_6D35C173 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6D35C173

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tGm4SuP0sz.exe	71%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
tGm4SuP0sz.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\d3d9.dll	100%	Avira	HEUR/AGEN.1301971
C:\Users\user\AppData\Roaming\d3d9.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\d3d9.dll	65%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://falseaudiencekd.shop/api	100%	Avira URL Cloud	malware
https://pleasurenarrowsdla.shop/	0%	Avira URL Cloud	safe
richardflorespoew.shop	0%	Avira URL Cloud	safe
https://feighminoritsjda.shop/api1	100%	Avira URL Cloud	malware
https://richardflorespoew.shop/apiy	0%	Avira URL Cloud	safe
pleasurenarrowsdla.shop	0%	Avira URL Cloud	safe
employeedscratshj.shop	100%	Avira URL Cloud	malware
marathonbeedksow.shop	100%	Avira URL Cloud	malware
justifycanddidatewd.shop	0%	Avira URL Cloud	safe
https://richardflorespoew.shop/apii	0%	Avira URL Cloud	safe
falseaudiencekd.shop	0%	Avira URL Cloud	safe
https://richardflorespoew.shop/api7	0%	Avira URL Cloud	safe
https://strwawrunnygjwu.shop//l	0%	Avira URL Cloud	safe
https://justifycanddidatewd.shop/	0%	Avira URL Cloud	safe
https://employeedscratshj.shop/api	100%	Avira URL Cloud	malware
https://pleasurenarrowsdla.shop/api?	100%	Avira URL Cloud	malware
feighminoritsjda.shop	100%	Avira URL Cloud	malware
https://richardflorespoew.shop/0	0%	Avira URL Cloud	safe
https://raiseboltskdlwpow.shop/B	0%	Avira URL Cloud	safe
https://richardflorespoew.shop/api	100%	Avira URL Cloud	malware
strwawrunnygjwu.shop	0%	Avira URL Cloud	safe
https://richardflorespoew.shop/	0%	Avira URL Cloud	safe
raiseboltskdlwpow.shop	0%	Avira URL Cloud	safe
https://strwawrunnygjwu.shop/api	100%	Avira URL Cloud	malware
https://feighminoritsjda.shop/apiK	100%	Avira URL Cloud	malware
https://justifycanddidatewd.shop/api	100%	Avira URL Cloud	malware
https://richardflorespoew.shop/g	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
justifycanddidatewd.shop	unknown	unknown	true	unknown
richardflorespoew.shop	unknown	unknown	true	unknown
strwawrunnygjwu.shop	unknown	unknown	true	unknown
falseaudiencekd.shop	unknown	unknown	true	unknown
raiseboltskdlwpow.shop	unknown	unknown	true	unknown
employeedscratshj.shop	unknown	unknown	true	unknown
marathonbeedksow.shop	unknown	unknown	true	unknown
feighminoritsjda.shop	unknown	unknown	true	unknown
pleasurenarrowsdla.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
justifycanddidatewd.shop	true	Avira URL Cloud: safe	unknown
employeedscratshj.shop	true	Avira URL Cloud: malware	unknown
marathonbeedksow.shop	true	Avira URL Cloud: malware	unknown
pleasurenarrowsdla.shop	true	Avira URL Cloud: safe	unknown
richardflorespoew.shop	true	Avira URL Cloud: safe	unknown
falseaudiencekd.shop	true	Avira URL Cloud: safe	unknown
feighminoritsjda.shop	true	Avira URL Cloud: malware	unknown
strwawrunnygjwu.shop	true	Avira URL Cloud: safe	unknown
raiseboltskdlwpow.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pleasurenarrowsdla.shop/	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://richardflorespoew.shop/apii	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://feighminoritsjda.shop/api1	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://falseaudiencekd.shop/api	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://richardflorespoew.shop/apiy	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://richardflorespoew.shop/api7	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://strwawrunnygjwu.shop//l	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://richardflorespoew.shop/api	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://justifycanddidatewd.shop/	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pleasurenarrowsdla.shop/api?	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://raiseboltskdlwpow.shop/B	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://employeedscratshj.shop/api	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://richardflorespoew.shop/0	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://richardflorespoew.shop/	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://strwawrunnygjwu.shop/api	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://richardflorespoew.shop/g	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://justifycanddidatewd.shop/api	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://feighminoritsjda.shop/apiK	aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465359
Start date and time:	2024-07-01 15:56:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tGm4SuP0sz.exe renamed because original name is a hash value
Original Sample Name:	42dcacc7a076e1496d9650cf3fed897e3267577cf23fa47cf8591e508984cbbc.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/2@9/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 12 Number of non-executed functions: 104
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: tGm4SuP0sz.exe

Simulations

Behavior and APIs

Time	Type	Description
09:56:53	API Interceptor	4x Sleep call for process: aspnet_regiis.exe modified

Process:	C:\Users\user\Desktop\tGm4SuP0sz.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Roaming\d3d9.dll

Download File

Process:	C:\Users\user\Desktop\tGm4SuP0sz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	428544
Entropy (8bit):	7.042134864297343
Encrypted:	false
SSDEEP:	6144:U92QoqVJjjpW8zZIfTkVtrhprdkBvxa/kWrPS5oKOh/C+ro2DvR86O/TpSr:U7JjjbBtPkoFpVro2l8X0r
MD5:	93067106E6F192D5D32C5CEAA164405F
SHA1:	A088015A8CCDD6AF72989FF0E8EE0B87D03D962A
SHA-256:	16E0E92ED3C35C8D60E688B5AC6BE6D141492B67249B89A4A96A5B8BF908B39E
SHA-512:	6C587D293FB75006F1C4566249F6713626D0DE58C560CB3C253EBA15F6EF8613737EB334FF9AB2DD2F4770DDFD4BE15A8A924C251769F00B70296A53EBD7F7AF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L...3.xf...........!...&.l...$............................................................@.............................x...x...<................................... ...............................`...@...............P............................text....j.......l.................. ..`.rdata...d.......f...p..............@..@.data...T...........................@....reloc...............v..............@..B................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.838685509247705
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	tGm4SuP0sz.exe
File size:	1'609'728 bytes
MD5:	cabeb02d14a76418addc20a3943681c8
SHA1:	7a059897e5f686c9421c772e88d60ab5239b22d2
SHA256:	42dcacc7a076e1496d9650cf3fed897e3267577cf23fa47cf8591e508984cbbc
SHA512:	779ec01582eb539ad2c3c7ec8ef0f14fa2a7a072cecd82cecbaae14c66e0e3a52fe510b1dc56d4e1ccff9e033349bde0e5145c90592247dd9b086c47a62b0865
SSDEEP:	24576:PR0v48o9Tlzo+dJZujavgJSLZbM1S9ZhbrqyJ8pL4Fqgmpp/H1fmPOpz:y52TC8ZoI9Z9rqyI44Hpptflpz
TLSH:	2B7512757FD8C090E62E3BBA19D916EC0325F3601B1B33A911FA18DE5F65782CA21727
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.xf................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x54d0be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66780833 [Sun Jun 23 11:34:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14d068	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18c000	0x6e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x165000	0x48	.$D$
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x14b0c4	0x14b200	b88936036270ac618d1e6800e130ed02	False	0.8556545512457531	data	7.956028266051775	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.$D$	0x14e000	0x3c5fc	0x3c600	1e3f04af42e2a07560b81b99688e9b5d	False	0.5787477355072463	data	6.399106139375437	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x18c000	0x6e0	0x800	2e251c09b5e08853789f4cba562462e0	False	0.365234375	data	3.7663118946935565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18e000	0xc	0x200	50d3c35f580058964369e5f57c3783a4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x18c0a0	0x450	data			0.40217391304347827
RT_MANIFEST	0x18c4f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/01/24-15:56:54.800033	UDP	2053670	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop)	56366	53	192.168.2.8	1.1.1.1
07/01/24-15:56:54.063241	UDP	2053682	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop)	55154	53	192.168.2.8	1.1.1.1
07/01/24-15:56:54.580427	UDP	2053678	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop)	57904	53	192.168.2.8	1.1.1.1
07/01/24-15:56:54.811680	UDP	2053668	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop)	61148	53	192.168.2.8	1.1.1.1
07/01/24-15:56:54.696934	UDP	2053672	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop)	55221	53	192.168.2.8	1.1.1.1
07/01/24-15:56:54.683572	UDP	2053674	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop)	52482	53	192.168.2.8	1.1.1.1
07/01/24-15:56:54.563142	UDP	2053680	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop)	50222	53	192.168.2.8	1.1.1.1
07/01/24-15:56:54.595520	UDP	2053676	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop)	49552	53	192.168.2.8	1.1.1.1

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 15:56:53.457998991 CEST	51684	53	192.168.2.8	1.1.1.1
Jul 1, 2024 15:56:54.051367998 CEST	53	51684	1.1.1.1	192.168.2.8
Jul 1, 2024 15:56:54.063241005 CEST	55154	53	192.168.2.8	1.1.1.1
Jul 1, 2024 15:56:54.073417902 CEST	53	55154	1.1.1.1	192.168.2.8
Jul 1, 2024 15:56:54.563142061 CEST	50222	53	192.168.2.8	1.1.1.1
Jul 1, 2024 15:56:54.577260017 CEST	53	50222	1.1.1.1	192.168.2.8
Jul 1, 2024 15:56:54.580426931 CEST	57904	53	192.168.2.8	1.1.1.1
Jul 1, 2024 15:56:54.592571974 CEST	53	57904	1.1.1.1	192.168.2.8
Jul 1, 2024 15:56:54.595520020 CEST	49552	53	192.168.2.8	1.1.1.1
Jul 1, 2024 15:56:54.680556059 CEST	53	49552	1.1.1.1	192.168.2.8
Jul 1, 2024 15:56:54.683572054 CEST	52482	53	192.168.2.8	1.1.1.1
Jul 1, 2024 15:56:54.695573092 CEST	53	52482	1.1.1.1	192.168.2.8
Jul 1, 2024 15:56:54.696933985 CEST	55221	53	192.168.2.8	1.1.1.1
Jul 1, 2024 15:56:54.796859980 CEST	53	55221	1.1.1.1	192.168.2.8
Jul 1, 2024 15:56:54.800033092 CEST	56366	53	192.168.2.8	1.1.1.1
Jul 1, 2024 15:56:54.809737921 CEST	53	56366	1.1.1.1	192.168.2.8
Jul 1, 2024 15:56:54.811680079 CEST	61148	53	192.168.2.8	1.1.1.1
Jul 1, 2024 15:56:54.821276903 CEST	53	61148	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 15:56:53.457998991 CEST	192.168.2.8	1.1.1.1	0x8d37	Standard query (0)	employeedscratshj.shop	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.063241005 CEST	192.168.2.8	1.1.1.1	0xf048	Standard query (0)	marathonbeedksow.shop	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.563142061 CEST	192.168.2.8	1.1.1.1	0x76f3	Standard query (0)	feighminoritsjda.shop	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.580426931 CEST	192.168.2.8	1.1.1.1	0xf067	Standard query (0)	pleasurenarrowsdla.shop	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.595520020 CEST	192.168.2.8	1.1.1.1	0x45c4	Standard query (0)	falseaudiencekd.shop	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.683572054 CEST	192.168.2.8	1.1.1.1	0x84e0	Standard query (0)	raiseboltskdlwpow.shop	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.696933985 CEST	192.168.2.8	1.1.1.1	0xf7bd	Standard query (0)	justifycanddidatewd.shop	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.800033092 CEST	192.168.2.8	1.1.1.1	0x6b8a	Standard query (0)	strwawrunnygjwu.shop	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.811680079 CEST	192.168.2.8	1.1.1.1	0xe604	Standard query (0)	richardflorespoew.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 15:56:54.051367998 CEST	1.1.1.1	192.168.2.8	0x8d37	Name error (3)	employeedscratshj.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.073417902 CEST	1.1.1.1	192.168.2.8	0xf048	Name error (3)	marathonbeedksow.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.577260017 CEST	1.1.1.1	192.168.2.8	0x76f3	Name error (3)	feighminoritsjda.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.592571974 CEST	1.1.1.1	192.168.2.8	0xf067	Name error (3)	pleasurenarrowsdla.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.680556059 CEST	1.1.1.1	192.168.2.8	0x45c4	Name error (3)	falseaudiencekd.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.695573092 CEST	1.1.1.1	192.168.2.8	0x84e0	Name error (3)	raiseboltskdlwpow.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.796859980 CEST	1.1.1.1	192.168.2.8	0xf7bd	Name error (3)	justifycanddidatewd.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.809737921 CEST	1.1.1.1	192.168.2.8	0x6b8a	Name error (3)	strwawrunnygjwu.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:56:54.821276903 CEST	1.1.1.1	192.168.2.8	0xe604	Name error (3)	richardflorespoew.shop	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:56:51
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\tGm4SuP0sz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tGm4SuP0sz.exe"
Imagebase:	0xe90000
File size:	1'609'728 bytes
MD5 hash:	CABEB02D14A76418ADDC20A3943681C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:56:52
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:56:52
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0xca0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.9%
Total number of Nodes:	634
Total number of Limit Nodes:	10

Executed Functions

Function 6D3535D0 Relevance: 77.6, APIs: 21, Strings: 19, Instructions: 7628injectionmemorythreadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 6D355B21
ShowWindow.USER32 ref: 6D355B37
CreateProcessW.KERNELBASE ref: 6D3597D3
VirtualAlloc.KERNELBASE ref: 6D35982D
Wow64GetThreadContext.KERNEL32 ref: 6D359879
VirtualAllocEx.KERNELBASE ref: 6D359A5A
VirtualAllocEx.KERNEL32 ref: 6D359C27
WriteProcessMemory.KERNELBASE ref: 6D359C85
WriteProcessMemory.KERNELBASE ref: 6D35A040
ReadProcessMemory.KERNEL32 ref: 6D35A74F
WriteProcessMemory.KERNEL32 ref: 6D35A8EB
WriteProcessMemory.KERNELBASE ref: 6D35ABE8
Wow64SetThreadContext.KERNEL32 ref: 6D35AC38
ResumeThread.KERNELBASE ref: 6D35AC4D
CloseHandle.KERNEL32 ref: 6D35AC71
CloseHandle.KERNEL32 ref: 6D35AC85
GetConsoleWindow.KERNEL32 ref: 6D35AD73
ShowWindow.USER32 ref: 6D35AD89
VirtualAllocEx.KERNEL32 ref: 6D35B435
WriteProcessMemory.KERNEL32 ref: 6D35B57D
WriteProcessMemory.KERNEL32 ref: 6D35B699

Strings

@, xrefs: 6D35B42D
D, xrefs: 6D3596CD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6D359751
FPj, xrefs: 6D355F20
kernel32.dll, xrefs: 6D355B3D, 6D35AD8F
Mw;", xrefs: 6D3535DC
@3, xrefs: 6D35763B
/C}, xrefs: 6D35A287
;)vP, xrefs: 6D358B1B
MZx, xrefs: 6D359406, 6D359428
(]x, xrefs: 6D358C99
ntdll.dll, xrefs: 6D355B51, 6D35ADA3
wTyI, xrefs: 6D359AB6
?}[, xrefs: 6D359F27
AOVu, xrefs: 6D3575ED
Z[33, xrefs: 6D356444
;)vP, xrefs: 6D3535F0
/C}, xrefs: 6D35A2D5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6D359720

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: Process$Memory$Write$AllocVirtualWindow$Thread$CloseConsoleContextHandleShowWow64$CreateReadResume
String ID: (]x$/C}$/C}$;)vP$;)vP$?}[$@$AOVu$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$FPj$MZx$Mw;"$Z[33$kernel32.dll$ntdll.dll$wTyI$@3
API String ID: 2435830915-1568329391
Opcode ID: 9ab098ad8d95c35facbc560893c0967887e4ea600dfe374bbf36e4873b715eee
Instruction ID: 5691df6b5bbb590ad3d0ad5cdef2cc1bfd105765be9fdbc45a45a8014daec088
Opcode Fuzzy Hash: 9ab098ad8d95c35facbc560893c0967887e4ea600dfe374bbf36e4873b715eee
Instruction Fuzzy Hash: 96D34731A54259CFCB19CE2CCAC2BE977F5BB5B310F008289D615AB394C7369E948F61

Function 6D3513F0 Relevance: 43.9, APIs: 19, Strings: 5, Instructions: 1880filememoryCOMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32 ref: 6D351F43
GetModuleFileNameA.KERNEL32 ref: 6D352003
CreateFileA.KERNELBASE ref: 6D352047
CreateFileMappingA.KERNEL32 ref: 6D352147
CloseHandle.KERNEL32 ref: 6D3522DA
VirtualProtect.KERNELBASE ref: 6D35297D
FindCloseChangeNotification.KERNELBASE ref: 6D352D66
CloseHandle.KERNEL32 ref: 6D352DDD
CloseHandle.KERNEL32 ref: 6D352DF1
GetCurrentProcess.KERNEL32(?), ref: 6D352E6B
GetModuleHandleA.KERNEL32 ref: 6D352ECE
K32GetModuleInformation.KERNEL32 ref: 6D352F1F
CreateFileMappingA.KERNEL32 ref: 6D352F6E
CloseHandle.KERNEL32 ref: 6D353097
CloseHandle.KERNEL32 ref: 6D3530AB

Strings

p~1r, xrefs: 6D35305E
Mw;", xrefs: 6D351404
.text, xrefs: 6D35288F, 6D35302E
p~1r, xrefs: 6D3529F8
@, xrefs: 6D352971

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: CloseHandle$FileModule$Create$InformationMapping$ChangeCurrentFindNameNotificationProcessProtectVirtual
String ID: .text$@$Mw;"$p~1r$p~1r
API String ID: 2714264131-2743371051
Opcode ID: 71f3923d3451390f5dd5ab529eb611f2a9dfbdff328a1712cb8c1691baa1a435
Instruction ID: 5901b2b5bb80fd8c7a9f9fdbc359b0bf90c58781649d8e3328db49952b2aebe9
Opcode Fuzzy Hash: 71f3923d3451390f5dd5ab529eb611f2a9dfbdff328a1712cb8c1691baa1a435
Instruction Fuzzy Hash: 7BE2DE76A143058FCB14CF2CC995BDEBBF5BB4A314F008259D95ADB390C7368989CB52

Function 6D3530C0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6D35320A

Strings

Mw;", xrefs: 6D3530CB
NtQueryInformationProcess, xrefs: 6D353225
ntdll.dll, xrefs: 6D353201

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: HandleModule
String ID: Mw;"$NtQueryInformationProcess$ntdll.dll
API String ID: 4139908857-1162797286
Opcode ID: 848dfa3f7a40b8f5533a8396ab3f1f2087b12d46b4406fdc4aab2977195b61dc
Instruction ID: 34167c6541f2c86fcd7b41efa4d723664667a22d103be7ac9189c49c03ebbeb3
Opcode Fuzzy Hash: 848dfa3f7a40b8f5533a8396ab3f1f2087b12d46b4406fdc4aab2977195b61dc
Instruction Fuzzy Hash: 18A10F71A542099FCF06CFBCC595BEDBBF9BB46310F118529D924EB390C6369A09CB21

Function 6D35BE48 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D35BE8F
___scrt_uninitialize_crt.LIBCMT ref: 6D35BEA9

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 414d5d5f5d20ce30bc3fe61c9940afc9aa78c02474d952e414795cb5fdd7cb84
Instruction ID: 44c0ac0ad04692f122b5820fc0f5ae6961eb69ce6b18eaf6698aeb11626f01b7
Opcode Fuzzy Hash: 414d5d5f5d20ce30bc3fe61c9940afc9aa78c02474d952e414795cb5fdd7cb84
Instruction Fuzzy Hash: 9941D172D0821AAFDB218F55CC41FBE7BB8EB817A8F068119EA556F140C7318961CFA0

Function 6D35BEF8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D35BF35
dllmain_crt_dispatch.LIBCMT ref: 6D35BF4C
dllmain_raw.LIBCMT ref: 6D35BF94
dllmain_crt_dispatch.LIBCMT ref: 6D35BFA7
dllmain_raw.LIBCMT ref: 6D35BFBA

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 73c49a63e2d07f40879ecef45001e5e1cdd9b2ff542f3ae1f8caccab6d346b25
Instruction ID: b4c4b6eefdecd5b6c19daa123640231b68896a1b9107b76318192c29dfa3c5f4
Opcode Fuzzy Hash: 73c49a63e2d07f40879ecef45001e5e1cdd9b2ff542f3ae1f8caccab6d346b25
Instruction Fuzzy Hash: 8D216D76D0821AABDB228E15CC41F7F3A79EB81A94F028115F9156F210C7328D618FA0

Function 6D35BD41 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D35BD8E

Part of subcall function 6D35C20B: InitializeSListHead.KERNEL32(6D3B9220,6D35BD98,6D36D650,00000010,6D35BD29,?,?,?,6D35BF51,?,00000001,?,?,00000001,?,6D36D698), ref: 6D35C210

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D35BDF8

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: aa8d48243688c2b5a072bda5d9f98aaf5628d2d01db5326943bcd019455f46ac
Instruction ID: 3a3ccbdd681740dd466b7e5916a9a6fb6c99c1f8b60766eeca1d462d21b389ee
Opcode Fuzzy Hash: aa8d48243688c2b5a072bda5d9f98aaf5628d2d01db5326943bcd019455f46ac
Instruction Fuzzy Hash: E321D23250D246AEDF119FB4A446FBD77A09F1A3ACF1A8419D7C16F2C2CB724170C666

Function 6D36236F Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6D3623BB
GetFileType.KERNELBASE(00000000), ref: 6D3623CD

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 5ab87a3397705c84c80e3f4f2b99bdc026f592c0ba4df807f297d6918f1906d8
Instruction ID: a99787df47de07d063d33b90f2e57db622ea6256a2a14b07b718ef46b4bdd7b7
Opcode Fuzzy Hash: 5ab87a3397705c84c80e3f4f2b99bdc026f592c0ba4df807f297d6918f1906d8
Instruction Fuzzy Hash: 1911A239504BD24AD7314E3E8E896327AA8B767630B36072AE5B98A1F5C331D4868671

Non-executed Functions

Function 6D38C3F0 Relevance: 20.5, Strings: 16, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VY, xrefs: 6D38C5A8
0A6C, xrefs: 6D38C8AC
?]._, xrefs: 6D38CEEB
<M?O, xrefs: 6D38C8A1
xQiS, xrefs: 6D38C592
Y\, xrefs: 6D38C6E9
<u>w, xrefs: 6D38C88B
ZR, xrefs: 6D38C6FF
rEpG, xrefs: 6D38C571
+U*W, xrefs: 6D38CF01
*])_, xrefs: 6D38C8CD
*m(o, xrefs: 6D38C849
uw, xrefs: 6D38CA79
I:K, xrefs: 6D38C896
TU, xrefs: 6D38C8E3
RG, xrefs: 6D38C6F4

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: I:K$*])_$*m(o$+U*W$0A6C$<M?O$<u>w$?]._$RG$TU$VY$Y\$ZR$rEpG$xQiS$uw
API String ID: 0-1428941810
Opcode ID: 730a38e5ee4b8d9e82d9c9f81d6edce7ad9572504c3a7a7f1d29d336ddd60cb6
Instruction ID: 9076c503f15235010854fcb7bf580da645d7d01180055881637f60a13973c3aa
Opcode Fuzzy Hash: 730a38e5ee4b8d9e82d9c9f81d6edce7ad9572504c3a7a7f1d29d336ddd60cb6
Instruction Fuzzy Hash: 4252B8B42093858BE3B8CF15D891BDEBBE1FB85344F90892DC5D99B245DB748086CF92

Function 6D3780D0 Relevance: 11.6, Strings: 9, Instructions: 347COMMON

Download Yara Rule

Strings

PP/R, xrefs: 6D37844D
E0, xrefs: 6D378465
4!, xrefs: 6D378146
@e, xrefs: 6D3782E3
VT.", xrefs: 6D378445
azbc, xrefs: 6D37811A
jzy{, xrefs: 6D37810F
h]mX, xrefs: 6D378455
UXtu, xrefs: 6D37845D

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: 4!$@e$E0$PP/R$UXtu$VT."$azbc$h]mX$jzy{
API String ID: 0-1729160369
Opcode ID: 26ae9fcd58b3f6786542e21ce4fc92687753ff49fa868cc28f206eb9c15718af
Instruction ID: e36d73dba8081826dcc2b0a6f2085298ed049883128e55d2b3aaa57ad8eefed3
Opcode Fuzzy Hash: 26ae9fcd58b3f6786542e21ce4fc92687753ff49fa868cc28f206eb9c15718af
Instruction Fuzzy Hash: F4B176B11087828BD315CF29C49175BFBE0AF96744F28895CE4D58B362C339D94ACB96

Function 6D378530 Relevance: 7.9, Strings: 6, Instructions: 437COMMON

Download Yara Rule

Strings

{nvo, xrefs: 6D3787E8
eqXO, xrefs: 6D378A61
crkr, xrefs: 6D3787A7
0, xrefs: 6D378590
sbe`, xrefs: 6D3787AF
LM, xrefs: 6D378A6C

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: 0$LM$crkr$eqXO$sbe`${nvo
API String ID: 0-764911014
Opcode ID: c72436e967dd020598ea26fc11812944d36d4ecbe61a5a04e70b9d7248f53b62
Instruction ID: 25b8aeda954816e7507aa7f437a2a6f6750fedd38a609f83bfa914c83c546b60
Opcode Fuzzy Hash: c72436e967dd020598ea26fc11812944d36d4ecbe61a5a04e70b9d7248f53b62
Instruction Fuzzy Hash: D70243B0618381AFD324CF24C990B6BBBE2FBC5744F54992DE4C98B291D738D805DB56

Function 6D384F2B Relevance: 7.8, Strings: 6, Instructions: 340COMMON

Download Yara Rule

Strings

w, xrefs: 6D385263
{q, xrefs: 6D385253
3Q1S, xrefs: 6D3850C3
LM, xrefs: 6D3850DB
3y, xrefs: 6D38524B
h-O/, xrefs: 6D38509B

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: 3Q1S$3y$LM$h-O/$w${q
API String ID: 0-882505063
Opcode ID: aba745d65a786982f72d6073588b0bae3dccfde096a9c631333cee765fbf91ad
Instruction ID: d9ba9b82b027493a264afd514c35c0d84726d78ed6b6933ad4aa298ea44b85c3
Opcode Fuzzy Hash: aba745d65a786982f72d6073588b0bae3dccfde096a9c631333cee765fbf91ad
Instruction Fuzzy Hash: 7EC178765083409FC718CF04C8A066FBBE1AFC6358F158D1DE8EA5B342D7359A4ACB86

Function 6D3604C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D3605BF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D3605C9
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D3605D6

Strings

Mw;", xrefs: 6D3604D2

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: Mw;"
API String ID: 3906539128-4032204789
Opcode ID: cbe067f019af41e99465d3561fa867e26fc01131fe1e5158455496e672ddadfe
Instruction ID: 004f44cddaea8f4b729007e5c7eda90413bb138053dc07914c09229888352899
Opcode Fuzzy Hash: cbe067f019af41e99465d3561fa867e26fc01131fe1e5158455496e672ddadfe
Instruction Fuzzy Hash: 3B31E87490121DABCF21DF24D889B9DBBB8BF08314F5045EAE51CA7250EB309B81CF55

Function 6D35C52A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D35C536
IsDebuggerPresent.KERNEL32 ref: 6D35C602
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D35C61B
UnhandledExceptionFilter.KERNEL32(?), ref: 6D35C625

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 248c87fdb417a8b2ab210b11ee62b2cbb2aed7c1e07b5ca4697053863a485d54
Instruction ID: 58b5014ee6226998e8b9a8fcf392b02ebccde360fdc19e6cc0ad9e6b2ea9f76a
Opcode Fuzzy Hash: 248c87fdb417a8b2ab210b11ee62b2cbb2aed7c1e07b5ca4697053863a485d54
Instruction Fuzzy Hash: 1E31FAB5D05219ABDF10DF64C949BCDBBB8AF08704F1045DAE50CA7240EB719B84DF45

Function 6D38539C Relevance: 5.3, Strings: 4, Instructions: 286COMMON

Download Yara Rule

Strings

\GAB, xrefs: 6D3855A2
^\MR, xrefs: 6D3855B2
XHPT, xrefs: 6D385582
szuj, xrefs: 6D3855C2

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: XHPT$\GAB$^\MR$szuj
API String ID: 0-3987498118
Opcode ID: 2a7779406c5e186560119268a970c5b325f2bb7c2292b06e581ec82687796933
Instruction ID: b99cb8abfaf8bc3e799668ae8912be7263528c6e02d90b56d8865f2fce817b1f
Opcode Fuzzy Hash: 2a7779406c5e186560119268a970c5b325f2bb7c2292b06e581ec82687796933
Instruction Fuzzy Hash: D6B18B7150C3818FD315CF28C49176BBBE2AFD6304F19886DE4DA8B392D7358909CB62

Function 6D38C38A Relevance: 3.9, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

" !&, xrefs: 6D38DCB9
a, xrefs: 6D38DCE5
E107, xrefs: 6D38DD2E

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: " !&$E107$a
API String ID: 0-2520488126
Opcode ID: 6c19a60f49acc049798ee96403bdb3d3dab617d5da4f9548f194deebaadadbe7
Instruction ID: 8ca24bde95223c60d536314edb2aa708caa3406e91191a6ce2b6d623635dfd98
Opcode Fuzzy Hash: 6c19a60f49acc049798ee96403bdb3d3dab617d5da4f9548f194deebaadadbe7
Instruction Fuzzy Hash: 1751BE72A183918FD335CF14D491BABB7E1EBD1310F45892ED5CA8B382DA749845CB92

Function 6D360B78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

Mw;", xrefs: 6D360C34

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: Mw;"
API String ID: 0-4032204789
Opcode ID: 7c14f1569c1dd09152c3730d8ef50a06b1220acecf3a2b5233005870ec3f835b
Instruction ID: 189ab02ea3dac372aa796d2b10076c79c5a105c149df144c246cbc3b951c6568
Opcode Fuzzy Hash: 7c14f1569c1dd09152c3730d8ef50a06b1220acecf3a2b5233005870ec3f835b
Instruction Fuzzy Hash: FD41C875805259AFDB10DF69CC8AAAABBB8EF45304F1442D9E459E3244DB319E448F60

Function 6D374190 Relevance: 3.3, Strings: 2, Instructions: 842COMMON

Download Yara Rule

Strings

8, xrefs: 6D374B40
0, xrefs: 6D374B4B

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 7e679853e31e0ed9f8f925e97b75c69aa02d712df44842b7c375ba2c696d3515
Instruction ID: 95fd6da5324808a8a8b9a3d50764e40cd6b48553f8c016ce255e5ae5c4d66fd4
Opcode Fuzzy Hash: 7e679853e31e0ed9f8f925e97b75c69aa02d712df44842b7c375ba2c696d3515
Instruction Fuzzy Hash: 387257716087419FD720CF28C88079BBBE5BF89314F04892DF99887391D779E958CB96

Function 6D3823C0 Relevance: 3.0, Strings: 2, Instructions: 453COMMON

Download Yara Rule

Strings

, xrefs: 6D38256F
, xrefs: 6D3822DF

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 83ec535f82daa42153f40594cf7d22467200b9a012ff2e263a1a4bedd164cc5a
Instruction ID: 3ff5472a3a219610f4737fe7b62d7cad74ee5f02388f965565b4d890d4d55ad1
Opcode Fuzzy Hash: 83ec535f82daa42153f40594cf7d22467200b9a012ff2e263a1a4bedd164cc5a
Instruction Fuzzy Hash: 6DD1CF7662C3429FD335CF24C8957ABB7E5AF86318F15482CD489C7242EB399485CBA3

Function 6D373710 Relevance: 2.9, Strings: 2, Instructions: 415COMMON

Download Yara Rule

Strings

), xrefs: 6D3737A9
IEND, xrefs: 6D373B91

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 113c6d710251e0129166b0257d3806dfb65e7c98d83d3a91b967f3bf462c6ffa
Instruction ID: 1664d722095a6140b614647d7b2e5a4fff304e645a8239299317defd3cdf3b9e
Opcode Fuzzy Hash: 113c6d710251e0129166b0257d3806dfb65e7c98d83d3a91b967f3bf462c6ffa
Instruction Fuzzy Hash: 66E1D1B1A087459FD720CF28C84575ABBE4FB85318F04892DF9A49B381D779E908CBD6

Function 6D381D80 Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

eo, xrefs: 6D381D8C
d, xrefs: 6D381F03

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: d$eo
API String ID: 0-1875096159
Opcode ID: 7b76c93a4d4b5b00f5af1e604507403927ebf9e5e94173bf7bf8eda637f5305c
Instruction ID: 4e1c7d95eeb8524bde9fc13abcd2b62c44d7b47e826d275ae980877bea77dcd6
Opcode Fuzzy Hash: 7b76c93a4d4b5b00f5af1e604507403927ebf9e5e94173bf7bf8eda637f5305c
Instruction Fuzzy Hash: 385138706293818FD374CF14D8E9B9AB7E1AFD6304F08482DD48D8B252D7399609CB67

Function 6D385A1E Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

<_D, xrefs: 6D385B17
78CN, xrefs: 6D385A6E

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: 78CN$<_D
API String ID: 0-1360662621
Opcode ID: 35152913102f06681d7e1402df17430e96154fac8ec2ea529fc3a00ed08848fe
Instruction ID: c5e5d2ced1e2aeb1aa76a520650d76eb910e6fe5396e13a4e26caa830bd85259
Opcode Fuzzy Hash: 35152913102f06681d7e1402df17430e96154fac8ec2ea529fc3a00ed08848fe
Instruction Fuzzy Hash: 6E3138B150D3818FD3298F148090B6AFBF1ABD2314F18991DE4D54B252DBB58445CB96

Function 6D392DC0 Relevance: 1.8, Strings: 1, Instructions: 558COMMON

Download Yara Rule

Strings

", xrefs: 6D3932D2

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 626921dd2c0f6c0a4969d2eec34d73272c2c3a8b58f2a854ba4e6141e8994c6a
Instruction ID: 300c091f48a93e3765a53f2e33553d4b2c7522f9a71f72f4174f374cd408bb74
Opcode Fuzzy Hash: 626921dd2c0f6c0a4969d2eec34d73272c2c3a8b58f2a854ba4e6141e8994c6a
Instruction Fuzzy Hash: A60205B2A0C3069FD711CF28C881B2BBBE5AB85354F45C92DE499CB391E775D809C792

Function 6D367125 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D367120,?,?,00000008,?,?,6D366D23,00000000), ref: 6D367352

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8c519803d97a0d13f3bb1d5a459ae59d212ae9efe915c591faf929215af24971
Instruction ID: 7b2f733e78a39a4d523a964562a0b7dbb1d9a3d257331dd7265d6f2c4e03ea7d
Opcode Fuzzy Hash: 8c519803d97a0d13f3bb1d5a459ae59d212ae9efe915c591faf929215af24971
Instruction Fuzzy Hash: FAB1BFB1A20649CFD705CF28C486B647BE0FF05364F65C658E9A9CF2A5C336E981CB50

Function 6D35B700 Relevance: 1.7, Strings: 1, Instructions: 409COMMONLIBRARYCODE

Download Yara Rule

Strings

Mw;", xrefs: 6D35B71A

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: Mw;"
API String ID: 0-4032204789
Opcode ID: b886813e5e6f1ff497bb17216db1cab5ad6d772044da3f4508db51e3122e836d
Instruction ID: 9b22423c40e9dc58408c4b6cb45ab3f3e6b90680f651766dd9bf1da2b2673d80
Opcode Fuzzy Hash: b886813e5e6f1ff497bb17216db1cab5ad6d772044da3f4508db51e3122e836d
Instruction Fuzzy Hash: 7AE13435E5424A9FCF05CEACC4D2BDDBBF9BB56360F10911AD511EF340CA2A8855CB68

Function 6D35C6E8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D35C6FE

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b6c5340c54d90e863a63f191093aa51a7aafc339d8222e20d654efef6dd98ec8
Instruction ID: 31d1a6632de2c0a94c5276b42c601abea8f12fa1612bd6f66c4fd18adc2ef5b5
Opcode Fuzzy Hash: b6c5340c54d90e863a63f191093aa51a7aafc339d8222e20d654efef6dd98ec8
Instruction Fuzzy Hash: A1518BB1E0520ADFEB05CF55C882BAABBF8FB59318F10856AD414EB780D376D910CB60

Function 6D37F3A5 Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

lx, xrefs: 6D37F691

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: lx
API String ID: 0-3595554650
Opcode ID: 22096bee09bd5474671cc10237d88cb1bbeca8dde8ec04b88883d36a90faa0e3
Instruction ID: 26e7cc31e30343a26b678bc8b15c90bd2f10d1e20d24fc73af24b4fc9401c530
Opcode Fuzzy Hash: 22096bee09bd5474671cc10237d88cb1bbeca8dde8ec04b88883d36a90faa0e3
Instruction Fuzzy Hash: F6D189716283818BD330CF14C8A5BABB7E1FFC6304F14492DE88997291D739A905CBA7

Function 6D351010 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

Mw;", xrefs: 6D351025

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: Mw;"
API String ID: 0-4032204789
Opcode ID: d5e95cc44e7440229b213593357f143881293775e2af8256b00e135e95f54b16
Instruction ID: fddd142667e4d43248b0f4359eb4dfeefceee229c06c33f02677e64c64a32780
Opcode Fuzzy Hash: d5e95cc44e7440229b213593357f143881293775e2af8256b00e135e95f54b16
Instruction Fuzzy Hash: EAA1F276A146468FDF05CE7CC891ADDBBF6BB8B350F148215C521E7794C33A8A15CB24

Function 6D375530 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

,, xrefs: 6D37569F

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: ce2f23334433c1b265e94497140114d90fa40d41d861fd11c8bd7d63b5a8541f
Instruction ID: e11bb781f8a0cb1f388dad7c7958e3f56c0f887087ec8227819e9d52cc0980e4
Opcode Fuzzy Hash: ce2f23334433c1b265e94497140114d90fa40d41d861fd11c8bd7d63b5a8541f
Instruction Fuzzy Hash: EBB14B7160D782AFD314CF68C48475ABBE1AFA9304F444A2DF59897382C375DA18CB96

Function 6D37ECE8 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

Q!, xrefs: 6D37FA7A

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: Q!
API String ID: 0-2920312500
Opcode ID: c8d3103640d1503b68c596d189348e52c32c3a1cf51a2c74f5910b92c3fe87f3
Instruction ID: b6cc56d1ac2c4d24c333551f525e1f52974b9331b951586853c4072a55c259b8
Opcode Fuzzy Hash: c8d3103640d1503b68c596d189348e52c32c3a1cf51a2c74f5910b92c3fe87f3
Instruction Fuzzy Hash: 5481CD71A187429FC375CF24C895BABB7E5AFC6314F05482CE489D7291DB38A844CB97

Function 6D3A82F0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

@, xrefs: 6D3A8340

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a566c2f49bd684a27f020c0bf0dca1028fd8aff47bfd4390e860214e9233121c
Instruction ID: 047b23f9c28c27dcebc6740e8227163dff85d507e72cdb60258112d37ab304e8
Opcode Fuzzy Hash: a566c2f49bd684a27f020c0bf0dca1028fd8aff47bfd4390e860214e9233121c
Instruction Fuzzy Hash: 4631BCB5A083419FC300CF18D890B6ABBF5FF99328F544A2CE99497391D375D914CBA6

Function 6D37F889 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

j, xrefs: 6D37F893

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: j
API String ID: 0-2137352139
Opcode ID: 1d85f2d669f0b3eda5f0bb70503ea9f10462db25ebbb502b9270cdc91c2cb998
Instruction ID: f706a050747226b759e01dff71b8f366a0f79231265ee7818e0804b091ceb8a6
Opcode Fuzzy Hash: 1d85f2d669f0b3eda5f0bb70503ea9f10462db25ebbb502b9270cdc91c2cb998
Instruction Fuzzy Hash: 6D1148316093808BD3B4CF54C895BDBB7E1AF8A304F18882ED58DE7261DB399949CB16

Function 6D36229E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6D36229E

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0a287d874a9a0fe4f6b37f65952405a528d89717c83ee2f47ddabeeb9f2615e8
Instruction ID: 97609ca4e67c80b829cfeb945ec767237d893b6dd009be9804515946ba112f3f
Opcode Fuzzy Hash: 0a287d874a9a0fe4f6b37f65952405a528d89717c83ee2f47ddabeeb9f2615e8
Instruction Fuzzy Hash: 51A001B0605241AF9FA08F3A860A3197ABEAA6BAA57058169A449C5190FB2885509F22

Function 6D3769C0 Relevance: .9, Instructions: 884COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e859499323dc793a010e8c4e18aebef601dded927e1cecc6bcb6df4cb37b734
Instruction ID: 68a35fccb0cbdd1a9c4682ae28f8d9f86a216bdde928e1e6d934fe46d695c6dd
Opcode Fuzzy Hash: 5e859499323dc793a010e8c4e18aebef601dded927e1cecc6bcb6df4cb37b734
Instruction Fuzzy Hash: 7E521471A18B128BC325DF2CD89027AB3E1FFC4314F158A2DD9D597385D33AA852CB96

Function 6D372250 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858b074062d683fb360340624bd448f0f2526b20d9610d692b6d5cea907d077a
Instruction ID: 4b5592d3421400c09d88598a7ad94f7d7800e5ce94b6dd67ac706eb5e88ffa58
Opcode Fuzzy Hash: 858b074062d683fb360340624bd448f0f2526b20d9610d692b6d5cea907d077a
Instruction Fuzzy Hash: 20520435A087468FC725CF28C1806EABBF2FF88314F19866DE89997341D739E945CB85

Function 6D3939D8 Relevance: .7, Instructions: 653COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a27ac46132f9f7214f72008100ead2eb696e6f7df39f82f949ceb4260d2b4ea
Instruction ID: cb200d3cf05033e56d6695474c636ecddb604fbaf70d5ee9637210b3123d1b77
Opcode Fuzzy Hash: 8a27ac46132f9f7214f72008100ead2eb696e6f7df39f82f949ceb4260d2b4ea
Instruction Fuzzy Hash: 6912F771604B828BD328CF3980A1776FBE2BF96214F28865DC4EB4F796E735A406C751

Function 6D372CE0 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f019f17129a98b818176a5a84f1fe233b0516cb4321256fbba8f03a0d787d95f
Instruction ID: e869143724f0bc79fa23882002e5b9a692b84241f59562dc743d3149723e24ed
Opcode Fuzzy Hash: f019f17129a98b818176a5a84f1fe233b0516cb4321256fbba8f03a0d787d95f
Instruction Fuzzy Hash: 97425775628B11CFC379CF28C59066AB7F1FF46310B504A2DD6A28BB90D73AB845CB15

Function 6D3A3DE0 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108bbd1e599b9389372dce2cc33016840f825636963ed1ab46d2d2faf28fbb74
Instruction ID: 312d20f926e10d05db4654d8333c64b9ec7b5cf556287e6c21341bb68de682ef
Opcode Fuzzy Hash: 108bbd1e599b9389372dce2cc33016840f825636963ed1ab46d2d2faf28fbb74
Instruction Fuzzy Hash: 86229F756083429FD301CF58D891B2AFBE1FB9A314F188A2DE5D88B391D775E805CB92

Function 6D374F20 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a478a0e87b8d108edcb9952827156c71d7d0da314f6d7dded5c5df5d21a8f976
Instruction ID: f396cc21c56555f8614228065fda7ee58524db47ea7192a56384e5776a92d287
Opcode Fuzzy Hash: a478a0e87b8d108edcb9952827156c71d7d0da314f6d7dded5c5df5d21a8f976
Instruction Fuzzy Hash: C902C4366087418FD7188F19C88176EBBE6EFC9304F08886DE9898B351DB79D845CB96

Function 6D38EB00 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f46b38b26c9e30fbc758fae783679e356d7dd78385b8e3d632d36f350dc129
Instruction ID: b5c13c4719bb4c48a8c60a0d0784de0964c22d4023ac4cac02cf49d16b8ada22
Opcode Fuzzy Hash: f1f46b38b26c9e30fbc758fae783679e356d7dd78385b8e3d632d36f350dc129
Instruction Fuzzy Hash: C9C1E2B1A083128FD301CF18C88176AB7E1EB96314F19892CE9D5D7352E336D905CB92

Function 6D3A86F0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0fc086294a717233062b437dbfa8d97f227ca05e523306115987bd2ece2ffc
Instruction ID: e21474ba9d89eccd7b4987c62d6771a81e3a7cdf44a2fc2312419f96e7807777
Opcode Fuzzy Hash: 6f0fc086294a717233062b437dbfa8d97f227ca05e523306115987bd2ece2ffc
Instruction Fuzzy Hash: 7691AD757043428BD714CF28C891A6BB7F2FF89714F198A2CE9958B261EB31DC45CB82

Function 6D3A8A10 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e0bc3228148164063c6a236d32576edd3f9fcda2d74cedd3d32c1e21387ec6
Instruction ID: 8d3c79f50c35aacc1b4e10659ce69cbdc365ee6b5224d2afbb36fabfa67e622d
Opcode Fuzzy Hash: 24e0bc3228148164063c6a236d32576edd3f9fcda2d74cedd3d32c1e21387ec6
Instruction Fuzzy Hash: 1BA1DE71B093528BC705CF18C890A6AB7E2FF88714F198A2CE9959B351D731EC51CBD2

Function 6D390D8C Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8556a9c0019ce565130813cbef378288a96f2d8c8da7175dbd80ec4c8cd97c8
Instruction ID: af8b6c7f8f72d27eff79814c7ed82f97abe6fd810edd99728a2da60245e8e35c
Opcode Fuzzy Hash: c8556a9c0019ce565130813cbef378288a96f2d8c8da7175dbd80ec4c8cd97c8
Instruction Fuzzy Hash: EA7189B55083418BD324CF19C4A13ABB7F2EFC2354F449A0DE4DA5B390E7B99845DB92

Function 6D383190 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c2a5755f4e779c87a76ef71a7f2bd907c0d3a1874d791f76277252a6f3eeca
Instruction ID: 4374f6524ccdd19510e349573af328634450f4d4d330a1f668abe09fd4119a0c
Opcode Fuzzy Hash: 04c2a5755f4e779c87a76ef71a7f2bd907c0d3a1874d791f76277252a6f3eeca
Instruction Fuzzy Hash: 6D51C1B291C6098FC7109F68CC857BAB7E8EF41318F09952DD899C7392EB7AD508C752

Function 6D39079B Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b0d547c6e3a072c427fc829247125a687f6550e9636ebf77a0772a13ee0f44
Instruction ID: fb86a29b19315acc13c11a4f2a25510982457e018bc9a306fc0ce4c8fa959fab
Opcode Fuzzy Hash: 24b0d547c6e3a072c427fc829247125a687f6550e9636ebf77a0772a13ee0f44
Instruction Fuzzy Hash: 5451D370A187428BC718CF29C85063AB7E2FFC9314F55862DE89ADB395E734E805CB91

Function 6D391CE1 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3932704aba590deb4197d4f9b0bd82922d1829fad40bb00a3466589b1c290a5e
Instruction ID: 8b2d8108db9dcd398b7e0b4a8e468411af0d75df000485b5611b9d9f46ba26ad
Opcode Fuzzy Hash: 3932704aba590deb4197d4f9b0bd82922d1829fad40bb00a3466589b1c290a5e
Instruction Fuzzy Hash: A751E3B290C7818FD324CF28C45176AFBEAABD5304F184A2EE5E5DB351E735D8018B52

Function 6D383C39 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74022e7ae721ee69f18bfa09368950f01d84790728a14b16530fc05442a3cdf7
Instruction ID: d787476fc887fa5f22697997975eaad6358618b0f5fa972410786c6667fcac93
Opcode Fuzzy Hash: 74022e7ae721ee69f18bfa09368950f01d84790728a14b16530fc05442a3cdf7
Instruction Fuzzy Hash: 66419EB5A147018FD725CF24C842B63B3F2FF96314B29896CD496CB361EB36A805C751

Function 6D3A7F60 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a2afaae6a145b7be37437a6f13e47f845563423de772e9d09ddbec4ddba44e
Instruction ID: c5f554ee5ce06ea77e94d8518dee3125cea6c3c05f63900a168d33fe231725dd
Opcode Fuzzy Hash: 80a2afaae6a145b7be37437a6f13e47f845563423de772e9d09ddbec4ddba44e
Instruction Fuzzy Hash: 67518A75708342AFD304CF18DC91B6AB7E2EF86704F58891CE9D897291D772E855CB82

Function 6D392300 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db60bd24c2146d975c662c1e149db04852fdfdbe49bbf08859b53d6ececbdc1c
Instruction ID: 341143cc82ae4ad253a19db310d775795404037cfdb258c2b6c047227aff653d
Opcode Fuzzy Hash: db60bd24c2146d975c662c1e149db04852fdfdbe49bbf08859b53d6ececbdc1c
Instruction Fuzzy Hash: E541BD745183228BD724CF14C5617ABB3F2BFD2348F549A2CE9DA1B390E7769905C782

Function 6D3A8130 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86000208116ac31e54408dcf2ca3aa2e2ece0f27dfc5eef3e1ea1949e576d8c9
Instruction ID: 8d570e969cc1181c90642a0201ae13ab6f81ba55bb06db54f0ae484ae9022d30
Opcode Fuzzy Hash: 86000208116ac31e54408dcf2ca3aa2e2ece0f27dfc5eef3e1ea1949e576d8c9
Instruction Fuzzy Hash: A5519C74B08741AFD300CF18D881B7BBBE2EB86744F58891CE5D897291C731E815CB86

Function 6D3910F7 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df4ba3dfa97cb9bd421905eb9aa0cb1b08e65d390135804af301f05fa8495f4
Instruction ID: d82bdf56a752722271dcc6b8c2471f42d44dd9f9f32df6d10800661ca4171b17
Opcode Fuzzy Hash: 9df4ba3dfa97cb9bd421905eb9aa0cb1b08e65d390135804af301f05fa8495f4
Instruction Fuzzy Hash: AC41BE74608202ABE718CF04D9A173FB3E6EFCA744F55991CE98A6B651D7329C01CB86

Function 6D37E410 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890152fa040b52a1864c198c6ea4ee8598826ae1b8b63511e366e5c183ef2a1e
Instruction ID: c9aa98bcd5c925af5ca16a48eaecdd4fd10a76e27182fd6c92859d897c0e8648
Opcode Fuzzy Hash: 890152fa040b52a1864c198c6ea4ee8598826ae1b8b63511e366e5c183ef2a1e
Instruction Fuzzy Hash: 2241117261C7614FE3188A2AC89136ABBD2EBC5324F05C62EF0E9873D1DA7C8845DB55

Function 6D392070 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a22e9ce17e5654dc8aafb10b0a0f521ddbb7140dae8aab8544715bcc0235857
Instruction ID: db6171ca2e7f8ed26b6e5814309ae27152b4ba167a9978a0948f080038125d1f
Opcode Fuzzy Hash: 4a22e9ce17e5654dc8aafb10b0a0f521ddbb7140dae8aab8544715bcc0235857
Instruction Fuzzy Hash: 7A4169746083028BD324CF18C991BABB3F1FF86794F44891CE9858B3A1E779D945CB92

Function 6D381399 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47141302373a02fc3b5c3eb17f5cab3f8244cbde14f9214461374234849d7c12
Instruction ID: 77c143e8e2f381b258b2aa2ddf178a0b5f402da8649408f4ccb06a5ba6c9eed5
Opcode Fuzzy Hash: 47141302373a02fc3b5c3eb17f5cab3f8244cbde14f9214461374234849d7c12
Instruction Fuzzy Hash: 8A4156316183408FD364DF54D8A1BABB7F5EBC5300F05882EE889DB392DB349945CBA2

Function 6D3A37F0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0f22a33d82c0495e4f4b706f02b4a01d0be671b0bae918405fad0265cfe011
Instruction ID: fb012d589bdac7234ece00eb2ca8cb266104062fd841ffd01660a50e3df7c885
Opcode Fuzzy Hash: ab0f22a33d82c0495e4f4b706f02b4a01d0be671b0bae918405fad0265cfe011
Instruction Fuzzy Hash: 1F317A71A083019FD300DF98C981B5BFBE8EB86318F158A1CE5D4AB251C336D9098B92

Function 6D371160 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae8af78a39ff9c7f65d1e1dd8f773f741c63194613eb10fd5ba5aa23dba1df1
Instruction ID: 98c239decc162c327f5e674991aad7e6065524eda89d8f9fc4c73d4f70ea0452
Opcode Fuzzy Hash: 9ae8af78a39ff9c7f65d1e1dd8f773f741c63194613eb10fd5ba5aa23dba1df1
Instruction Fuzzy Hash: C531D832618A019BD7208F58C891A37B7F5EF84354F14992CE899CF341D33AD952CB8A

Function 6D390310 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9891a6c1987d0aa3c9cb0ad1570315737e08ab9298547f88c377c1e70bd2d0d3
Instruction ID: 18be2dadd16bec37f59779bd69d436428ae6e4b83ffcfef37d0a80eb193c76bd
Opcode Fuzzy Hash: 9891a6c1987d0aa3c9cb0ad1570315737e08ab9298547f88c377c1e70bd2d0d3
Instruction Fuzzy Hash: 4621B431A092D04FD3124A3E8491669BBA2AF97728F698389E4F45B2E2D72689468711

Function 6D38D470 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1ab8fb32b2f6f1587f7aceb91b0d89a497f6a4fd57d686a3219d92405b274c
Instruction ID: 6e7c54f6075080db5d894c4b400d7c651d0f30fba1041df32dc9c92943190c76
Opcode Fuzzy Hash: ce1ab8fb32b2f6f1587f7aceb91b0d89a497f6a4fd57d686a3219d92405b274c
Instruction Fuzzy Hash: 0D218974509341CFD300CF28D092A6ABBF1BFD2744F84885EE0C68B262EB3AD945CB12

Function 6D392A70 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993b181b9993475e50f2dfd66faf5a1f2cd4df07a488de521816ae3ea7985e0a
Instruction ID: 32e2f364a6586f765c5d5fd15fe428497b32e5a3dc13c2654aa44be47ed566c6
Opcode Fuzzy Hash: 993b181b9993475e50f2dfd66faf5a1f2cd4df07a488de521816ae3ea7985e0a
Instruction Fuzzy Hash: 8D0192FAB06F0267E7308E5499C1737B2A89F81608F45403CD9954B201EF66E80582D9

Function 6D37E724 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b0bca7c116f93985a271265a358f72dc5d1cf5272eb152c4af80edc4583c8e
Instruction ID: d0ce14d30123de465dd38d56a6316b86c9d055702d5f7b24758832534102901a
Opcode Fuzzy Hash: 76b0bca7c116f93985a271265a358f72dc5d1cf5272eb152c4af80edc4583c8e
Instruction Fuzzy Hash: A01136706283818BD3348F14D8E9BDBBBE2BBC6348F18482DE489C7650C73D8505CB1A

Function 6D383DF8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4ced82fa882be5d3fb3aa3a70294947a44b5b32bbe39863efe3361c506be32
Instruction ID: d7b5e3ff57173c1791aedac58bf796c04d77d65719e0659ed4baebf685d7fa1b
Opcode Fuzzy Hash: 1c4ced82fa882be5d3fb3aa3a70294947a44b5b32bbe39863efe3361c506be32
Instruction Fuzzy Hash: 74111776A00B018FD3158F29C891A22B7F2FF8A300708889CE596CB725E736E811DB10

Function 6D38F61A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93804f1d151500488af0f13b91251e364b9ff3065500049fc604f6ade05c5e5
Instruction ID: 0c653c3d46fbd3b8ac82c9858887d09f13e8c5be32f1245862a302ba7f1dcc69
Opcode Fuzzy Hash: d93804f1d151500488af0f13b91251e364b9ff3065500049fc604f6ade05c5e5
Instruction Fuzzy Hash: 2AE0397050C7869AD705CF258450576BBE2AF97248F04A99CE0CA97252E329D50ADB2A

Function 6D38281B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbfbb957a3ae57afc28f8099b96706c4d3dbf6ad204d7dff2ba39dcb9a2976c
Instruction ID: 2d0759f53daaf3970f81f66aaaae44048838d9267dea7838ff7576b6e6d60a7c
Opcode Fuzzy Hash: 8bbfbb957a3ae57afc28f8099b96706c4d3dbf6ad204d7dff2ba39dcb9a2976c
Instruction Fuzzy Hash: E1D05B79B4864047C615DB20D85047EB6239BC721CF066438C986F3760DF39F817978E

Function 6D38081C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6904151471783ee92b37b90a27787cfe41d9f1ff1ddf5471b246a78c0aaa47c3
Instruction ID: cf672916d1ba1711a8cc7591f96502e8e5938afae57771aad2d3236203eab3d9
Opcode Fuzzy Hash: 6904151471783ee92b37b90a27787cfe41d9f1ff1ddf5471b246a78c0aaa47c3
Instruction Fuzzy Hash: 12D0127DF99440878619DB20AC5187EB52A9BCB20CB06B439CE46F3751DF2DF913464E

Function 6D37B700 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 6b326a8bc68b90595820205db441b706d3f6ab7167b3379c1e22bd229dd73f77
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 99D0A771548BE60ED758CD3848A1477FBF8ED87552F24149EE4E5E7005D226D80146AC

Function 6D38F53A Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281d501df5ab605dda48040b67f3124cdbb628a08512351359de7ea75e30b089
Instruction ID: ae953a7b5711aa6b6eedb6f03d813ede60559223702f920f0cb3a8e3b3d117be
Opcode Fuzzy Hash: 281d501df5ab605dda48040b67f3124cdbb628a08512351359de7ea75e30b089
Instruction Fuzzy Hash: B2C09BF9D947499BD604DF30AC90426B3F677572CCF007824D24773111E615D508C76D

Function 6D3863D3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca5c82f5cfdf5c19e2029f0254dcaa59cd91808b7987feac67f87929da164e5
Instruction ID: 9c04d22507b68845b9312bcc500683f88995c98e6bf082e8c006725fadbd385d
Opcode Fuzzy Hash: 2ca5c82f5cfdf5c19e2029f0254dcaa59cd91808b7987feac67f87929da164e5
Instruction Fuzzy Hash: 85B092EAE1BC10A690211B103C054FAB4248A2300CF05A034CA8A22221A72AD22A40DF

Function 6D38FABE Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3e71159761ad4b9b8b4c84e39d893cfd1619adf15d4be419ae6f0e90362b56
Instruction ID: d47939b1a2312f8293674d1f4c7053e1a37ebba8effcc54a93adb66211245b86
Opcode Fuzzy Hash: 2a3e71159761ad4b9b8b4c84e39d893cfd1619adf15d4be419ae6f0e90362b56
Instruction Fuzzy Hash: 5DB012D4D090004291118F006C40475A1788307008F003034D14CA3111D304D004815E

Function 6D38FC57 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e5539b6335c758ae2c1c8b5029fd19d554631d407aace07678134a7ba410ce
Instruction ID: 7099edd316ed23f7c9f3b14f7ddd2fae19bbf83e05bee7712811a53b68f8b192
Opcode Fuzzy Hash: 70e5539b6335c758ae2c1c8b5029fd19d554631d407aace07678134a7ba410ce
Instruction Fuzzy Hash: 3D900224D485058781108F049540471E2B8930B151F503410A10CF3011C250D444850C

Function 6D39A320 Relevance: 97.7, Strings: 78, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h4D, xrefs: 6D39A427
P$D, xrefs: 6D39A8A1
P$D, xrefs: 6D39A6DD
P$D, xrefs: 6D39A9D5
P$D, xrefs: 6D39A8F9
P$D, xrefs: 6D39A6C7
P$D, xrefs: 6D39A751
P$D, xrefs: 6D39A3AB
P$D, xrefs: 6D39A9BF
D5D, xrefs: 6D39A559
P$D, xrefs: 6D39A8B7
P$D, xrefs: 6D39A891
P$D, xrefs: 6D39A727
5D, xrefs: 6D39A69D
P$D, xrefs: 6D39A67D
P$D, xrefs: 6D39A867
P$D, xrefs: 6D39A5B9
05D, xrefs: 6D39A539
P4D, xrefs: 6D39A413
P$D, xrefs: 6D39A63B
P$D, xrefs: 6D39A993
P$D, xrefs: 6D39A8CD
P$D, xrefs: 6D39A9A9
84D, xrefs: 6D39A3FF
P5D, xrefs: 6D39A563
4D, xrefs: 6D39A4CF
P$D, xrefs: 6D39A371
P$D, xrefs: 6D39A83D
P$D, xrefs: 6D39A7FD
P$D, xrefs: 6D39A56D
\6D, xrefs: 6D39A747
46D, xrefs: 6D39A707
,4D, xrefs: 6D39A3F5
P$D, xrefs: 6D39A827
$7D, xrefs: 6D39A887
P$D, xrefs: 6D39A7E7
P$D, xrefs: 6D39A711
(6D, xrefs: 6D39A6FD
P$D, xrefs: 6D39A90F
P$D, xrefs: 6D39A3D5
P$D, xrefs: 6D39A925
\4D, xrefs: 6D39A41D
P$D, xrefs: 6D39A4ED
P$D, xrefs: 6D39A58D
t4D, xrefs: 6D39A431
P$D, xrefs: 6D39A651
P$D, xrefs: 6D39A503
P$D, xrefs: 6D39A967
P$D, xrefs: 6D39A445
P$D, xrefs: 6D39A5F9
D4D, xrefs: 6D39A409
P$D, xrefs: 6D39A45B
P$D, xrefs: 6D39A395
P$D, xrefs: 6D39A519
P$D, xrefs: 6D39A491
P$D, xrefs: 6D39A8E3
P$D, xrefs: 6D39A47B
P$D, xrefs: 6D39A543
x6D, xrefs: 6D39A77D
P$D, xrefs: 6D39A767
5D, xrefs: 6D39A693
P$D, xrefs: 6D39A93B
P$D, xrefs: 6D39A7D1
P$D, xrefs: 6D39A667
P$D, xrefs: 6D39A7A7
P$D, xrefs: 6D39A5D9
P$D, xrefs: 6D39A951
P6D, xrefs: 6D39A73D
P$D, xrefs: 6D39A791
P$D, xrefs: 6D39A6B1
3D, xrefs: 6D39A38B
P$D, xrefs: 6D39A60F
P$D, xrefs: 6D39A625
d5D, xrefs: 6D39A583
$5D, xrefs: 6D39A52F
4D, xrefs: 6D39A3EB
P$D, xrefs: 6D39A97D
P$D, xrefs: 6D39A5A3

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: 4D$$5D$$7D$(6D$,4D$05D$46D$84D$D4D$D5D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P4D$P5D$P6D$\4D$\6D$d5D$h4D$t4D$x6D$3D$4D$5D$5D
API String ID: 0-34486471
Opcode ID: 402a9dc6d004261520f27fe8ac35e3028a1f1a7d2b3b50819d9a4a2bbf86ac99
Instruction ID: b3678de1baa4ffc2a840c5e79e659744310c171b9698d62928e9ff8226ce629b
Opcode Fuzzy Hash: 402a9dc6d004261520f27fe8ac35e3028a1f1a7d2b3b50819d9a4a2bbf86ac99
Instruction Fuzzy Hash: C8F192B8505B019BE325CF24D5986C3BBE0FB49B09F50992ED5EE47314C7B42689CF88

Function 6D3974E0 Relevance: 89.0, Strings: 71, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P$D, xrefs: 6D397B13
P$D, xrefs: 6D39758F
P$D, xrefs: 6D397921
P$D, xrefs: 6D3975FB
t1D, xrefs: 6D397777
P$D, xrefs: 6D39794D
$2D, xrefs: 6D397819
P$D, xrefs: 6D3975E5
P$D, xrefs: 6D3976B9
3D, xrefs: 6D3979D1
P$D, xrefs: 6D3976A3
P$D, xrefs: 6D397AE7
P$D, xrefs: 6D3977EF
`2D, xrefs: 6D397879
P$D, xrefs: 6D397A21
P$D, xrefs: 6D397A8F
\1D, xrefs: 6D397763
P$D, xrefs: 6D397937
P$D, xrefs: 6D3975CF
P$D, xrefs: 6D397579
P$D, xrefs: 6D3978A3
82D, xrefs: 6D397839
P1D, xrefs: 6D397759
P$D, xrefs: 6D397ABB
P$D, xrefs: 6D397AFD
t2D, xrefs: 6D397899
P$D, xrefs: 6D397963
P$D, xrefs: 6D397AD1
P$D, xrefs: 6D3976ED
D1D, xrefs: 6D39774F
P$D, xrefs: 6D39753D
40D, xrefs: 6D3975A5
1D, xrefs: 6D3977DB
P$D, xrefs: 6D3978C3
P$D, xrefs: 6D39754D
P$D, xrefs: 6D397863
P$D, xrefs: 6D397A79
P$D, xrefs: 6D397979
P$D, xrefs: 6D397843
P$D, xrefs: 6D397625
P$D, xrefs: 6D397A37
P$D, xrefs: 6D397719
l0D, xrefs: 6D397611
P$D, xrefs: 6D3975B9
P$D, xrefs: 6D397A4D
P$D, xrefs: 6D397A63
P$D, xrefs: 6D397A0B
@0D, xrefs: 6D3975AF
P$D, xrefs: 6D397883
x0D, xrefs: 6D39761B
P$D, xrefs: 6D397AA5
P$D, xrefs: 6D397703
h1D, xrefs: 6D39776D
,3D, xrefs: 6D3979DB
P$D, xrefs: 6D397665
81D, xrefs: 6D397745
P$D, xrefs: 6D397B29
P$D, xrefs: 6D397563
L2D, xrefs: 6D397859
P$D, xrefs: 6D39764F
P$D, xrefs: 6D3979BB
P$D, xrefs: 6D3979E5
P$D, xrefs: 6D39798F
1D, xrefs: 6D3977D1
P$D, xrefs: 6D3979FB
P$D, xrefs: 6D3978F7
P$D, xrefs: 6D39751A
P$D, xrefs: 6D3979A5
P$D, xrefs: 6D397823
P$D, xrefs: 6D39772F
P$D, xrefs: 6D3974F1

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: 3D$$2D$,3D$40D$81D$82D$@0D$D1D$L2D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P1D$\1D$`2D$h1D$l0D$t1D$t2D$x0D$1D$1D
API String ID: 0-2979357682
Opcode ID: 5749c2f9bb58ac51c36bb06a52e3bf3b96f24110a469891523e8413d53274165
Instruction ID: 8d8b7f3f934ca192b41b7035fa40b3f2e751c30adf96636312c6e4e8db6f158f
Opcode Fuzzy Hash: 5749c2f9bb58ac51c36bb06a52e3bf3b96f24110a469891523e8413d53274165
Instruction Fuzzy Hash: 69E165B8501B418BE324CF25D588683BBE4FB49B09F50DA1ED5BE47318D7B46649CF88

Function 6D39F5B0 Relevance: 80.2, Strings: 64, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L@D, xrefs: 6D39F9A3
0;D, xrefs: 6D39F9D9
@?D, xrefs: 6D39F81B
x>D, xrefs: 6D39F737
0;D, xrefs: 6D39F695
<>D, xrefs: 6D39F6D7
0;D, xrefs: 6D39F8A5
0;D, xrefs: 6D39F6F5
0;D, xrefs: 6D39F755
0;D, xrefs: 6D39F983
0;D, xrefs: 6D39F859
H>D, xrefs: 6D39F6E1
d?D, xrefs: 6D39F839
0;D, xrefs: 6D39FB0B
0;D, xrefs: 6D39F8D1
=D, xrefs: 6D39F641
0;D, xrefs: 6D39F88F
0;D, xrefs: 6D39FA71
?D, xrefs: 6D39F91B
0;D, xrefs: 6D39FA9D
0;D, xrefs: 6D39F92F
0;D, xrefs: 6D39F70B
|@D, xrefs: 6D39F9F9
0;D, xrefs: 6D39F843
0;D, xrefs: 6D39F86F
0;D, xrefs: 6D39F77F
0;D, xrefs: 6D39F9AD
p@D, xrefs: 6D39F9EF
0;D, xrefs: 6D39FA19
0;D, xrefs: 6D39FB37
0;D, xrefs: 6D39F64B
0;D, xrefs: 6D39F8BB
0;D, xrefs: 6D39FA45
0;D, xrefs: 6D39F905
0;D, xrefs: 6D39F6AB
0;D, xrefs: 6D39FAC9
T>D, xrefs: 6D39F6EB
0;D, xrefs: 6D39F661
0;D, xrefs: 6D39FADF
0;D, xrefs: 6D39FAB3
X?D, xrefs: 6D39F82F
,@D, xrefs: 6D39F979
@D, xrefs: 6D39F96F
L?D, xrefs: 6D39F825
0;D, xrefs: 6D39FA5B
?D, xrefs: 6D39F7F1
?D, xrefs: 6D39F925
0;D, xrefs: 6D39F621
0;D, xrefs: 6D39FA2F
0;D, xrefs: 6D39F6C1
0;D, xrefs: 6D39F959
0;D, xrefs: 6D39F60B
0;D, xrefs: 6D39FB21
4?D, xrefs: 6D39F811
0;D, xrefs: 6D39FAF5
0;D, xrefs: 6D39FB4D
0;D, xrefs: 6D39F795
@@D, xrefs: 6D39F999
>D, xrefs: 6D39F7BF
0;D, xrefs: 6D39FA03
0;D, xrefs: 6D39FA87
0;D, xrefs: 6D39F7FB
0;D, xrefs: 6D39F9C3
0;D, xrefs: 6D39F721

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: ?D$ @D$,@D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$0;D$4?D$<>D$@?D$@@D$H>D$L?D$L@D$T>D$X?D$d?D$p@D$x>D$|@D$=D$>D$?D$?D
API String ID: 0-2349161180
Opcode ID: e1e054a34b5c2dd1b0d087a9bc06cbc8bdcc1fb95b5ea3f5958a91adf7871b9b
Instruction ID: 218ff49cdfee946439f3d26d9a133e0e52340f30887c170fb4624de840b326fc
Opcode Fuzzy Hash: e1e054a34b5c2dd1b0d087a9bc06cbc8bdcc1fb95b5ea3f5958a91adf7871b9b
Instruction Fuzzy Hash: 51D150B4515B908BE328CF24E458792BBE1FB49B0AF508A1ED5AF47351CBB43649CF48

Function 6D39CA70 Relevance: 38.8, Strings: 31, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x8D, xrefs: 6D39CBBE
X8D, xrefs: 6D39CB96
P$D, xrefs: 6D39CA81
P$D, xrefs: 6D39CC86
8D, xrefs: 6D39CB50
P$D, xrefs: 6D39CAB0
P$D, xrefs: 6D39CCD6
7D, xrefs: 6D39CB0A
P$D, xrefs: 6D39CCC2
P$D, xrefs: 6D39CCEA
@8D, xrefs: 6D39CB78
7D, xrefs: 6D39CB00
88D, xrefs: 6D39CB6E
P$D, xrefs: 6D39CC9A
P$D, xrefs: 6D39CBE6
P8D, xrefs: 6D39CB8C
P$D, xrefs: 6D39CC72
P$D, xrefs: 6D39CC5E
P$D, xrefs: 6D39CBFA
P$D, xrefs: 6D39CCAE
P$D, xrefs: 6D39CC22
h8D, xrefs: 6D39CBAA
H8D, xrefs: 6D39CB82
`8D, xrefs: 6D39CBA0
P$D, xrefs: 6D39CC4A
p8D, xrefs: 6D39CBB4
P$D, xrefs: 6D39CC36
P$D, xrefs: 6D39CBD2
(8D, xrefs: 6D39CB5A
P$D, xrefs: 6D39CC0E
08D, xrefs: 6D39CB64

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: 8D$(8D$08D$88D$@8D$H8D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P$D$P8D$X8D$`8D$h8D$p8D$x8D$7D$7D
API String ID: 0-3864607224
Opcode ID: eb333e4e345c3a047f4c747ee0c0788a8ec836b63cca9b481376d77f548856a2
Instruction ID: ffacbf0024967ff62fa152ee1adcbc978d561d6dd6edc4f1aba495d1c58547f4
Opcode Fuzzy Hash: eb333e4e345c3a047f4c747ee0c0788a8ec836b63cca9b481376d77f548856a2
Instruction Fuzzy Hash: C6511DF4501B459BE3209F21CA497C7BAE2EB4570AF40D91E91FE1A345C7F8224A8F98

Function 6D387E70 Relevance: 15.2, Strings: 12, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1I=O, xrefs: 6D38804B
E-T3, xrefs: 6D3880F0, 6D3880F4
Hedk, xrefs: 6D388083
D5A;, xrefs: 6D388023
F1[7, xrefs: 6D38801B
$U [, xrefs: 6D388063
1Y _, xrefs: 6D38806B
hE&K, xrefs: 6D388043
U%U+, xrefs: 6D3880B6
%M:S, xrefs: 6D388053
oAmG, xrefs: 6D38803B
U9I?, xrefs: 6D38802B

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: $U [$%M:S$1I=O$1Y _$D5A;$E-T3$F1[7$Hedk$U%U+$U9I?$hE&K$oAmG
API String ID: 0-3536370757
Opcode ID: 395ac9e3943335021887cf8de60dabccc6121b08b7588c4bcff2f378c30eeb28
Instruction ID: 740a9e6967f923408d9fca3ec6edcc0c5aae7a6a253a9e1e48aef01525f419e8
Opcode Fuzzy Hash: 395ac9e3943335021887cf8de60dabccc6121b08b7588c4bcff2f378c30eeb28
Instruction Fuzzy Hash: C36152B16083419BC704CF19C491A6ABBF1FF8A798F108A1CF8E49B352E334D945CB96

Function 6D39C890 Relevance: 13.9, Strings: 11, Instructions: 160COMMON

Download Yara Rule

Strings

n, xrefs: 6D39C9AF
V, xrefs: 6D39C997
!, xrefs: 6D39C98B
c, xrefs: 6D39C9B3
l, xrefs: 6D39C9B7
P, xrefs: 6D39C9A7
[, xrefs: 6D39C98F
c, xrefs: 6D39C993
b, xrefs: 6D39C99B
a, xrefs: 6D39C9A3
W, xrefs: 6D39C99F

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: !$P$V$W$[$a$b$c$c$l$n
API String ID: 0-442629251
Opcode ID: 71070ffd06b732138d49f0bfb978ec2a2a037be5baa70a4e0dd4dd3b1d402b82
Instruction ID: 549fba79cf48a7c2420c66cd9817f8ab084fe828fa6d6f36169a9c0568673bb9
Opcode Fuzzy Hash: 71070ffd06b732138d49f0bfb978ec2a2a037be5baa70a4e0dd4dd3b1d402b82
Instruction Fuzzy Hash: DF6169B4508B41CFC721DF38D485606BBE1AF1A314F14896CD8DA8F396E735A815CBA2

Function 6D35DF5A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6D35E079
___TypeMatch.LIBVCRUNTIME ref: 6D35E187
_UnwindNestedFrames.LIBCMT ref: 6D35E2D9
CallUnexpected.LIBVCRUNTIME ref: 6D35E2F4

Strings

csm, xrefs: 6D35DF97
csm, xrefs: 6D35E0B0
csm, xrefs: 6D35E004

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: caaeb15d7573fe8fd24a5ea150ced2a934ce0a1acc23e734623fefb8d26442c1
Instruction ID: 0ce587999713daba591840e15a4d96de698e1a00c2f6ae21ad25e3e7fe9d9f79
Opcode Fuzzy Hash: caaeb15d7573fe8fd24a5ea150ced2a934ce0a1acc23e734623fefb8d26442c1
Instruction Fuzzy Hash: EFB1987180430AEFCF15DFA0D881DAEBBB5BF48314B11866AE951BB205D732DA61CF91

Function 6D35D000 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6D35D037
___except_validate_context_record.LIBVCRUNTIME ref: 6D35D03F
_ValidateLocalCookies.LIBCMT ref: 6D35D0C8
__IsNonwritableInCurrentImage.LIBCMT ref: 6D35D0F3
_ValidateLocalCookies.LIBCMT ref: 6D35D148

Strings

csm, xrefs: 6D35D0DD
Mw;", xrefs: 6D35D0B2, 6D35D12F

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: Mw;"$csm
API String ID: 1170836740-3278274464
Opcode ID: 57f476c70b9c97fad7731f2ac8aa0085d9d076de36593ee48c1b87b41b5abde2
Instruction ID: a874d0af5db8eac5320579418f8c5f042a1eec5788416222307fe68b6be48c18
Opcode Fuzzy Hash: 57f476c70b9c97fad7731f2ac8aa0085d9d076de36593ee48c1b87b41b5abde2
Instruction Fuzzy Hash: 4441C234A04259ABCF00DF68D880EAEBBB4BF85318F11C155E9149B395D732EA66CB91

Function 6D363B95 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D363C1A
__alloca_probe_16.LIBCMT ref: 6D363CE3
__freea.LIBCMT ref: 6D363D4A

Part of subcall function 6D362D2D: HeapAlloc.KERNEL32(00000000,6D361677,6D362A47,?,6D361677,00000220,?,?,6D362A47), ref: 6D362D5F

__freea.LIBCMT ref: 6D363D5D
__freea.LIBCMT ref: 6D363D6A

Strings

Mw;", xrefs: 6D363B9C

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID: Mw;"
API String ID: 1096550386-4032204789
Opcode ID: f1a4e129d2b8e4db18a6f23d3999ab98e13896394d7b6821f2eca5169b99e6c3
Instruction ID: a54275f66c7ee2e4b8a264ae2d7f04fbd9166f5d4b2372fe4b7b1ad15718d7e8
Opcode Fuzzy Hash: f1a4e129d2b8e4db18a6f23d3999ab98e13896394d7b6821f2eca5169b99e6c3
Instruction Fuzzy Hash: 5351C27260528BBFEB215F648C82EBB36A9EF45714F1A4129FE24D7118E772CC108670

Function 6D361ECA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6D361FDC,00000000,6D35F7E0,00000000,00000000,00000001,?,6D362155,00000022,FlsSetValue,6D369898,6D3698A0,00000000), ref: 6D361F8B

Strings

ext-ms-, xrefs: 6D361F35
api-ms-, xrefs: 6D361F21

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: d188b5ad51b1cf6d8a041c4962e61e51a7ba8d19fccfa6596e023e303526cb1b
Instruction ID: 96ee246036dd93cf01daf5d1c88e3b8cfe4d756f0487a33eafdfc19f70b37a58
Opcode Fuzzy Hash: d188b5ad51b1cf6d8a041c4962e61e51a7ba8d19fccfa6596e023e303526cb1b
Instruction Fuzzy Hash: B721C633945192BBCB129F389C45AAA377C9F437A4B110615FA15AB2C8DB31E900C6F0

Function 6D35F10E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,223B774D,00000000,?,00000000,6D367A22,000000FF,?,6D35F0A8,?,?,6D35F07C,?), ref: 6D35F143
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D35F155
FreeLibrary.KERNEL32(00000000,?,00000000,6D367A22,000000FF,?,6D35F0A8,?,?,6D35F07C,?), ref: 6D35F177

Strings

CorExitProcess, xrefs: 6D35F14D
Mw;", xrefs: 6D35F123
mscoree.dll, xrefs: 6D35F13C

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$Mw;"$mscoree.dll
API String ID: 4061214504-1097367861
Opcode ID: e7c3dcad29350bb2b7c983f18f13be55af6d888a1fd46c48309b0c82d539566e
Instruction ID: 3093fa6f0206e26a6f31916b85e1a006ca7df2dced4b41cbcff033be147bc9db
Opcode Fuzzy Hash: e7c3dcad29350bb2b7c983f18f13be55af6d888a1fd46c48309b0c82d539566e
Instruction Fuzzy Hash: D7018F3191056ABFDF118F90CC05FBE7BB8FB09754F000625E821A2680DB759900CAA4

Function 6D378E80 Relevance: 10.3, Strings: 8, Instructions: 270COMMON

Download Yara Rule

Strings

X, xrefs: 6D378ECE
X, xrefs: 6D378EF6
B, xrefs: 6D378EEC
X, xrefs: 6D378EB0
F, xrefs: 6D378F00
R, xrefs: 6D378ED8
Z, xrefs: 6D378EC4
P, xrefs: 6D378EBA

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: B$F$P$R$X$X$X$Z
API String ID: 0-3412365628
Opcode ID: 578134f4451ad78a3f9a9181d8e874eb2f163d4625e1681ae8047a6aa5fc69ca
Instruction ID: f37ad93932c3c2dd9bb10e41e6d31412a8b16ec32d1168aa0af39287029d943d
Opcode Fuzzy Hash: 578134f4451ad78a3f9a9181d8e874eb2f163d4625e1681ae8047a6aa5fc69ca
Instruction Fuzzy Hash: 24C1497450CB85CFC311DF28D48460ABBE4BB9A328F058A2DF5E497392D3799844CB6B

Function 6D385E60 Relevance: 9.2, Strings: 7, Instructions: 418COMMON

Download Yara Rule

Strings

JM, xrefs: 6D385EDE
J9t;, xrefs: 6D385F08
]!L#, xrefs: 6D386298
,E-G, xrefs: 6D385ECA
]!L#, xrefs: 6D385E82
vY-[, xrefs: 6D385EB2
M-B/, xrefs: 6D385E9A

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: ,E-G$J9t;$JM$M-B/$]!L#$]!L#$vY-[
API String ID: 0-3492093773
Opcode ID: 4718b2ed445e4492efedbda24ea641f3b2d4ad46e253a618cba03d175d6cb8f9
Instruction ID: d8a12c76956d199ef1c7f8e117a79e1280a53afd8fd6768adf85b26e811b765e
Opcode Fuzzy Hash: 4718b2ed445e4492efedbda24ea641f3b2d4ad46e253a618cba03d175d6cb8f9
Instruction Fuzzy Hash: 69C199B15183118BC314CF18C8A266BB7F1FF86764F058A1CE8E64B392E3B59905CB92

Function 6D3642A2 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(223B774D,00000000,00000000,?), ref: 6D364305

Part of subcall function 6D361CCC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D363D40,?,00000000,-00000008), ref: 6D361D2D

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D364557
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D36459D
GetLastError.KERNEL32 ref: 6D364640

Strings

Mw;", xrefs: 6D3642B8

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID: Mw;"
API String ID: 2112829910-4032204789
Opcode ID: d8bbd92d1a826b734f85cb856ec942377bf29714166a4568f11bbdc03f0c4b1f
Instruction ID: cc3ed2f4b7889a76b5469fb2fe23afa10271d3b71720533ca314cf1e2f14853f
Opcode Fuzzy Hash: d8bbd92d1a826b734f85cb856ec942377bf29714166a4568f11bbdc03f0c4b1f
Instruction Fuzzy Hash: 12D18C75D08289AFCF01CFA8D890AADBBB9FF09314F14812AE655EB355D730A941CB60

Function 6D35D5AC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6D35D1E1,6D35C300,6D35BD19,?,6D35BF51,?,00000001,?,?,00000001,?,6D36D698,0000000C,6D35C04A), ref: 6D35D5BA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D35D5C8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D35D5E1
SetLastError.KERNEL32(00000000,6D35BF51,?,00000001,?,?,00000001,?,6D36D698,0000000C,6D35C04A,?,00000001,?), ref: 6D35D633

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 52630c9171c5ed01e6b86ed86ebbd89c2c7ef4b597de40afdccf84ba0365ff55
Instruction ID: 3e158f98ebfb6ac99a6b2f5e3d44a7248ceef6e6646e5d0c2ca886456c141296
Opcode Fuzzy Hash: 52630c9171c5ed01e6b86ed86ebbd89c2c7ef4b597de40afdccf84ba0365ff55
Instruction Fuzzy Hash: 2A01F77260D7137EEB051EB47C85F662B6CEB977787A0423DE314560D0EF9248325351

Function 6D388B00 Relevance: 8.9, Strings: 7, Instructions: 154COMMON

Download Yara Rule

Strings

@D, xrefs: 6D388B9E
xD, xrefs: 6D388BDC
4D, xrefs: 6D388B94
XD, xrefs: 6D388BB2
dD, xrefs: 6D388BBC
(D, xrefs: 6D388B8A
LD, xrefs: 6D388BA8

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: (D$4D$@D$LD$XD$dD$xD
API String ID: 0-1939173174
Opcode ID: 2961d8d3b4598d5670d62b1fe0894391877362b13ceaba05eddaf8f029c046f6
Instruction ID: fdfc5d98b0d55c655ac255f83d83ec3e819c2fe7fca408d11d8098c088c08e4f
Opcode Fuzzy Hash: 2961d8d3b4598d5670d62b1fe0894391877362b13ceaba05eddaf8f029c046f6
Instruction Fuzzy Hash: C0B18FB9411B408FE360CF6595482C2FBE5FB95318F258D1ECAAA1B321C7B47429CF88

Function 6D3610FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\tGm4SuP0sz.exe, xrefs: 6D36111A

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\tGm4SuP0sz.exe
API String ID: 0-440438403
Opcode ID: 36cb0e296e87d2ecbe873792ec70f6021b559d9311f6337ed323c7159f86f702
Instruction ID: 849ac374fbafe57af926d2b07d89ad5b1ba77a3be76e71d81c01193366e2a9dc
Opcode Fuzzy Hash: 36cb0e296e87d2ecbe873792ec70f6021b559d9311f6337ed323c7159f86f702
Instruction Fuzzy Hash: 98218175208286BF9B119F75CC9196BB7BDBF46368701C619EA58D7148EB32EC10CBB0

Function 6D363A74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D363AE6
GetStringTypeW.KERNEL32(?,-00000008,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,FFFFF9B5), ref: 6D363B3E
__freea.LIBCMT ref: 6D363B4B

Part of subcall function 6D362D2D: HeapAlloc.KERNEL32(00000000,6D361677,6D362A47,?,6D361677,00000220,?,?,6D362A47), ref: 6D362D5F

Strings

Mw;", xrefs: 6D363A7C

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: AllocHeapStringType__alloca_probe_16__freea
String ID: Mw;"
API String ID: 324646697-4032204789
Opcode ID: 1f3401780dac102793a6166c24dc5b0cf715be4c8c8e79880840e578cf991e5f
Instruction ID: 99cf0f3cbb4bae128b15171f1f902a3091e929f3db4832a19ed3fcc769f1449c
Opcode Fuzzy Hash: 1f3401780dac102793a6166c24dc5b0cf715be4c8c8e79880840e578cf991e5f
Instruction Fuzzy Hash: A831E272D0028AABDF118F64CC42EEF7BB9EF44714F0A8128E914A7259E775C850CBB4

Function 6D3611FB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6D361220
GetLastError.KERNEL32 ref: 6D36122A
__dosmaperr.LIBCMT ref: 6D361231

Strings

Mw;", xrefs: 6D361206

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ErrorFileLastModuleName__dosmaperr
String ID: Mw;"
API String ID: 4076908705-4032204789
Opcode ID: 83689fe9a2e96195fc70b7184a1c5ae1bac6206e0492b240ae9f7ffe220b4e68
Instruction ID: 2cb6f0a7aea0ef561279e4f03f93ac8706707dde9c2490422c02e463a7c73535
Opcode Fuzzy Hash: 83689fe9a2e96195fc70b7184a1c5ae1bac6206e0492b240ae9f7ffe220b4e68
Instruction Fuzzy Hash: BA11097194825DABCF10DFA9D889BDA77B8BB18304F118499E509E7240DB709A848FA4

Function 6D35DB82 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D35DB33,00000000,?,00000001,?,?,?,6D35DC22,00000001,FlsFree,6D368F70,FlsFree), ref: 6D35DB8F
GetLastError.KERNEL32(?,6D35DB33,00000000,?,00000001,?,?,?,6D35DC22,00000001,FlsFree,6D368F70,FlsFree,00000000,?,6D35D681), ref: 6D35DB99
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D35DBC1

Strings

api-ms-, xrefs: 6D35DBA6

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 6c44fed44beec3e966adca1066471a3126afd16b37ac9d1b59dbd2d4fc5efcfe
Instruction ID: 09161e132495a4667f503313b6e0ea35dbdbce23c4c5fca4ffb555176dd73cc6
Opcode Fuzzy Hash: 6c44fed44beec3e966adca1066471a3126afd16b37ac9d1b59dbd2d4fc5efcfe
Instruction Fuzzy Hash: 0EE01A3028824AF7EF101B61EC06F293B7AAF46B55F104421FA0CA80E5D7A294208595

Function 6D3786E0 Relevance: 6.6, Strings: 5, Instructions: 327COMMON

Download Yara Rule

Strings

{nvo, xrefs: 6D3787E8
eqXO, xrefs: 6D378A61
crkr, xrefs: 6D3787A7
sbe`, xrefs: 6D3787AF
LM, xrefs: 6D378A6C

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: LM$crkr$eqXO$sbe`${nvo
API String ID: 0-2776353322
Opcode ID: d0875e816820c4f4258ac7d89009c43ce509b35b380204f6ff998d640ffbb1ac
Instruction ID: 27dd1bd5e6ef1020418085d1235b5f0df75b273d68cab422f8e05d2c586650d8
Opcode Fuzzy Hash: d0875e816820c4f4258ac7d89009c43ce509b35b380204f6ff998d640ffbb1ac
Instruction Fuzzy Hash: 9DD121B0218381ABD328CF14D9A1B6FBBE2FBC1744F54992CE4D98B251D738D805DB96

Function 6D35DD03 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D35DDCA
___AdjustPointer.LIBCMT ref: 6D35DDED
___AdjustPointer.LIBCMT ref: 6D35DE89

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 2049c0f8258caf82960a7b34d77b984c4a579101f004a98278015e206987f818
Instruction ID: 83395180a41f1c50e127379ac5e1e3fe764197e3834a842b6e328d1ca5c4f7ee
Opcode Fuzzy Hash: 2049c0f8258caf82960a7b34d77b984c4a579101f004a98278015e206987f818
Instruction Fuzzy Hash: 42510172605602EFEB258F50E841FBAB3B4FF95304F14812DDA5547690E736E870CB90

Function 6D360918 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6D361CCC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D363D40,?,00000000,-00000008), ref: 6D361D2D

GetLastError.KERNEL32 ref: 6D36097C
__dosmaperr.LIBCMT ref: 6D360983
GetLastError.KERNEL32(?,?,?,?), ref: 6D3609BD
__dosmaperr.LIBCMT ref: 6D3609C4

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 04c162b335a8f1ec2acdde95ce9316c3761c7406894ece6ab4aa7259b6436432
Instruction ID: 4fd1da9ed92acc011bac5c1b33f09db89337ba31df2fe633f1c01a134cd95f2b
Opcode Fuzzy Hash: 04c162b335a8f1ec2acdde95ce9316c3761c7406894ece6ab4aa7259b6436432
Instruction Fuzzy Hash: 7221B831208686BFAB119F778C4292AB7EEFF45364701C419EA99A7158D732EC108BB0

Function 6D361D6F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D361D77

Part of subcall function 6D361CCC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D363D40,?,00000000,-00000008), ref: 6D361D2D

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D361DAF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D361DCF

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 7cbfdb982357297c8f1efbbc9bdaae4d7fdc1b8b5f35cc6559544802f55abb71
Instruction ID: 31d5b9c857413d8a34992eae8c1584377e380fe0d4bfc4c2cea734ddfb369857
Opcode Fuzzy Hash: 7cbfdb982357297c8f1efbbc9bdaae4d7fdc1b8b5f35cc6559544802f55abb71
Instruction Fuzzy Hash: 0511D6F590A5DA7FA71217778C89C7F6E7CDE8B2993158424FA41D2104EF31CE0085B1

Function 6D365C16 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D3653D6,00000000,00000001,00000000,?,?,6D364694,?,00000000,00000000), ref: 6D365C2D
GetLastError.KERNEL32(?,6D3653D6,00000000,00000001,00000000,?,?,6D364694,?,00000000,00000000,?,?,?,6D364C37,00000000), ref: 6D365C39

Part of subcall function 6D365BFF: CloseHandle.KERNEL32(FFFFFFFE,6D365C49,?,6D3653D6,00000000,00000001,00000000,?,?,6D364694,?,00000000,00000000,?,?), ref: 6D365C0F

___initconout.LIBCMT ref: 6D365C49

Part of subcall function 6D365BC1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D365BF0,6D3653C3,?,?,6D364694,?,00000000,00000000,?), ref: 6D365BD4

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D3653D6,00000000,00000001,00000000,?,?,6D364694,?,00000000,00000000,?), ref: 6D365C5E

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e244774214a243caa92f0e6163edde08f5c241f2ccf8b1d253fd569fa6f98741
Instruction ID: 8c411272bdf36af4465696b939d5235373726e2f0a7f8ecd5545d40eae60c62d
Opcode Fuzzy Hash: e244774214a243caa92f0e6163edde08f5c241f2ccf8b1d253fd569fa6f98741
Instruction Fuzzy Hash: 52F03936404599BBCF621FD1CC08AAA3F7BFF0A3A0B094420FB1996160C7729960DBA0

Function 6D361873 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 6D3613AA: GetOEMCP.KERNEL32(00000000,?,?,?,6D362A47), ref: 6D3613D5

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,6D3616BA,?,00000000,?,?,6D362A47), ref: 6D3618D4
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,6D3616BA,?,00000000,?,?,6D362A47), ref: 6D361910

Strings

Mw;", xrefs: 6D36187B

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: Mw;"
API String ID: 546120528-4032204789
Opcode ID: 9015c1c5b5ff34126c77918f346f3a728c0ad205d12e4090e87a6f1f0335c35a
Instruction ID: 2929904f6132e359dd0b48ed84e93b7c7d99044301d88acc9a4e5dd04a3bc7c2
Opcode Fuzzy Hash: 9015c1c5b5ff34126c77918f346f3a728c0ad205d12e4090e87a6f1f0335c35a
Instruction Fuzzy Hash: 8B510471A042C69FDB21CF75C8816BABBF8EF41304F14846ED192C7259D7759146CBB0

Function 6D35E2FF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6D35E324

Strings

RCC, xrefs: 6D35E33E
MOC, xrefs: 6D35E336

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ffdc5455e81bfecb9b0bb15a40f2cb390ffe4efa40295608db89611d0ea6839b
Instruction ID: 1602886fc27304f30c41f418c62bd4d8b3974cc2b72d090282e92fce991b4942
Opcode Fuzzy Hash: ffdc5455e81bfecb9b0bb15a40f2cb390ffe4efa40295608db89611d0ea6839b
Instruction Fuzzy Hash: 6541367190024AAFCF05CF94C881EEE7BB5FF48304F1581A9EA15BA250D336A961DB91

Function 6D364912 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,?,00000000,6D364CAC,00000000,?,?,00000000,?,00000000,00000000,00000000,?,?), ref: 6D3649FB
GetLastError.KERNEL32(6D364CAC,00000000,?,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6D362BB4,?), ref: 6D364A2B

Strings

Mw;", xrefs: 6D364921

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: Mw;"
API String ID: 442123175-4032204789
Opcode ID: dbb797200b712fb580f73c77dbcf93f63bfe6a50d0e78d472b949d713c45ca48
Instruction ID: e914167da909d9f7e95fa048205d13a7ae4cc1a759c10451fdac0af5269c961c
Opcode Fuzzy Hash: dbb797200b712fb580f73c77dbcf93f63bfe6a50d0e78d472b949d713c45ca48
Instruction Fuzzy Hash: 04318171A1425AAFDB14CF68CC91BEA77B9EB48304F0440A9E505D7294DB70ED81CB75

Function 6D364829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6D364C95,00000000,?,?,00000000,?,00000000), ref: 6D3648D3
GetLastError.KERNEL32(?,6D364C95,00000000,?,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6D362BB4), ref: 6D3648F9

Strings

Mw;", xrefs: 6D364838

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: Mw;"
API String ID: 442123175-4032204789
Opcode ID: 04d0721bc6f1e0dc036a5142acc467ce72e2c1da1fca83eef188a19d42b84e9f
Instruction ID: e46bf87cabde149dd976165245a242880e02bbd6f94d8a4078120f187e56e98d
Opcode Fuzzy Hash: 04d0721bc6f1e0dc036a5142acc467ce72e2c1da1fca83eef188a19d42b84e9f
Instruction Fuzzy Hash: 92219E31E14259AFCB24CF19C891AA9B3F9FF4D314B1440AAEA09D7254D731DD81CBA1

Function 6D36474E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6D364CC0,00000000,?,?,00000000,?,00000000), ref: 6D3647EA
GetLastError.KERNEL32(?,6D364CC0,00000000,?,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6D362BB4), ref: 6D364810

Strings

Mw;", xrefs: 6D36475D

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: Mw;"
API String ID: 442123175-4032204789
Opcode ID: dc81236e853e717bd1011ca95c7fb883939b1b879c97000ec50dc1b8aa17eb8c
Instruction ID: 0b23c2f1a9b00b4e7cf99f42ab3f3bd21b7243b63847e8b2267bb843bbd44d8c
Opcode Fuzzy Hash: dc81236e853e717bd1011ca95c7fb883939b1b879c97000ec50dc1b8aa17eb8c
Instruction Fuzzy Hash: CB218030E142599FCB15CF29CC90AE9B7B9EB4E305F1080AAEA45D7215D730DE42CB61

Function 6D35BCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6D35C084
___raise_securityfailure.LIBCMT ref: 6D35C16C

Strings

Mw;", xrefs: 6D35C14D

Memory Dump Source

Source File: 00000000.00000002.1390424556.000000006D351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D350000, based on PE: true

Associated: 00000000.00000002.1390404985.000000006D350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390458301.000000006D368000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: Mw;"
API String ID: 3761405300-4032204789
Opcode ID: 5bb455302e742b93486a2d25589268aa5cea24e019e7c79ce0b3d7aa102a2bc2
Instruction ID: edffd50c33947f00528a0b3605132e3fea6623193cb3fc24a9a996708e82c248
Opcode Fuzzy Hash: 5bb455302e742b93486a2d25589268aa5cea24e019e7c79ce0b3d7aa102a2bc2
Instruction Fuzzy Hash: 7F21D3BAA15206FEDB14CF15E155B543BBDFB7A304F10802AE6488B390E3B09980CF59

Function 6D3705AF Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

}, xrefs: 6D3707C4
{, xrefs: 6D370625
,, xrefs: 6D370797
}, xrefs: 6D370693

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: ,${$}$}
API String ID: 0-728446245
Opcode ID: 1555f709d15c13ee7f9aff05ddb25673eecd1206d31ab747ecaa1b682b14ee06
Instruction ID: bc35480aa2430c08b5650358770aeea535b0a01f7dd9b97ae4b7ddc060e07767
Opcode Fuzzy Hash: 1555f709d15c13ee7f9aff05ddb25673eecd1206d31ab747ecaa1b682b14ee06
Instruction Fuzzy Hash: 995105B0908B068BE3305F2BD85532B7AF8BF81348F049578E6C986252E73FD104CB5A

Function 6D392B10 Relevance: 5.2, Strings: 4, Instructions: 181COMMON

Download Yara Rule

Strings

\oD, xrefs: 6D392C9C
, xrefs: 6D392B84
\oD, xrefs: 6D392B35
\oD, xrefs: 6D392BE0

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: $\oD$\oD$\oD
API String ID: 0-1655774928
Opcode ID: 42f3ca387ceb9feb97c9513d9686420401f676b13b602f98abdd7e4f3b5ca5c5
Instruction ID: d2ed03ee67c17c970169af290318bd04f2ee247d834d91da05a691fad818200b
Opcode Fuzzy Hash: 42f3ca387ceb9feb97c9513d9686420401f676b13b602f98abdd7e4f3b5ca5c5
Instruction Fuzzy Hash: C151606D94EED38DE3324E399151375BBE16B43304FA9C1A9C4D84F292F2674887CB52

Function 6D38F0BB Relevance: 5.1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

Strings

Ihd_, xrefs: 6D38F0D3
LXEx, xrefs: 6D38F0EB
Ekaj, xrefs: 6D38F0CB
^E`v, xrefs: 6D38F0C3

Memory Dump Source

Source File: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D36F000, based on PE: true

Associated: 00000000.00000002.1390544618.000000006D3BA000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d350000_tGm4SuP0sz.jbxd

Similarity

API ID:
String ID: Ekaj$Ihd_$LXEx$^E`v
API String ID: 0-1331426215
Opcode ID: e560be299b33481c0a99402b7e2626b2fe5922fdf1f0922f3832b13516bfd5fc
Instruction ID: e4f319153cd257f8f517e0d65524d9424897e69fdffefb366a8dddde422ebf54
Opcode Fuzzy Hash: e560be299b33481c0a99402b7e2626b2fe5922fdf1f0922f3832b13516bfd5fc
Instruction Fuzzy Hash: 60210EB12083868FD324CF29C8A1B5EBBE2BB84704F204C1DF1A5CB290DB75D809CB56

Analysis Process: aspnet_regiis.exePID: 7440, Parent PID: 7340COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.3%
Total number of Nodes:	28
Total number of Limit Nodes:	3

Executed Functions

Function 00436A70 Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043988C,005C003F,00000006,?,?,00000018,BCBDBEBF,?,*QA), ref: 00436A96

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 0040AA80 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 270
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 0040AB9A

Strings

X, xrefs: 0040AAB0
X, xrefs: 0040AAF6
X, xrefs: 0040AACE
B, xrefs: 0040AAEC
R, xrefs: 0040AAD8
Z, xrefs: 0040AAC4
F, xrefs: 0040AB00
P, xrefs: 0040AABA

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: LibraryLoad
String ID: B$F$P$R$X$X$X$Z
API String ID: 1029625771-3412365628
Opcode ID: 578134f4451ad78a3f9a9181d8e874eb2f163d4625e1681ae8047a6aa5fc69ca
Instruction ID: dd598e264a0560bb66d2d30c86609d32f0111e72a788003366678ec101191ef6
Opcode Fuzzy Hash: 578134f4451ad78a3f9a9181d8e874eb2f163d4625e1681ae8047a6aa5fc69ca
Instruction Fuzzy Hash: 8DC146B450C781CFC700DF28D48461ABBE1AB9A314F004A2EF4D5A7392D778A859DB9B

Function 004096E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00409739

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 0040970B

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: ExitProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 621844428-780655312
Opcode ID: d6af8634371be7f9adbf63aa00ffc6355c7aaf593b22ced7c1feefe86d78ca9a
Instruction ID: 82811eb763b08e2a216a0f4860bd117365c47e1aad2dadacaf3c94007ff21ae5
Opcode Fuzzy Hash: d6af8634371be7f9adbf63aa00ffc6355c7aaf593b22ced7c1feefe86d78ca9a
Instruction Fuzzy Hash: 02E03972828200DACB14BF6182426A967906F15388F12883FE981722D3DB3D8846961F

Function 00436940 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNELBASE(00409730), ref: 0043694B

Strings

Wu, xrefs: 0043694B

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: 4cf7ab7b2ef8b130e9d78c47066a4e4481d5f4e93a47a61b34368f773019281b
Instruction ID: 46e739cb66371f13af9979e29a2f2e1c28cce9907cd0cf73c677e2316a022541
Opcode Fuzzy Hash: 4cf7ab7b2ef8b130e9d78c47066a4e4481d5f4e93a47a61b34368f773019281b
Instruction Fuzzy Hash: 60A00278820501DBCE116F21FE0E50C7B22BB573497519479B45551437DE292814DA0D

Function 004366C0 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE ref: 004366C0

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: a832ce11f9b2b78d34e8998ed54d26d62c5cb69f7e3283dac8b6702f1d3ec4ab
Instruction ID: 4a123ee13ff89c346c1803f0528f4480e21fe37d950f4e2e47ed48238b6c9086
Opcode Fuzzy Hash: a832ce11f9b2b78d34e8998ed54d26d62c5cb69f7e3283dac8b6702f1d3ec4ab
Instruction Fuzzy Hash: 5FD012396201409FC74CFF28FC51A6633E0A746229315803DE047C2252CA24EA01861C

Non-executed Functions

Function 0042E490 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 160
clipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenClipboard.USER32 ref: 0042E4DD
GetWindowLongW.USER32 ref: 0042E506
GetClipboardData.USER32 ref: 0042E518
CloseClipboard.USER32 ref: 0042E64E

Strings

W, xrefs: 0042E59F
[, xrefs: 0042E58F
!, xrefs: 0042E58B
n, xrefs: 0042E5AF
l, xrefs: 0042E5B7
c, xrefs: 0042E593
b, xrefs: 0042E59B
P, xrefs: 0042E5A7
a, xrefs: 0042E5A3
V, xrefs: 0042E597
c, xrefs: 0042E5B3

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: !$P$V$W$[$a$b$c$c$l$n
API String ID: 1647500905-442629251
Opcode ID: bcb9f924028dbcac92138826d65abaefba1f26c1b197660e7bbe70eb77523828
Instruction ID: 74bdfcd54e904dab4c0bab061b67e559f6e16a6dafb19be60afdfbb9da9170a1
Opcode Fuzzy Hash: bcb9f924028dbcac92138826d65abaefba1f26c1b197660e7bbe70eb77523828
Instruction Fuzzy Hash: 22619CB0608740CFD720DF39D485716BBE1AF1A314F548A6DD8DA8B342D739E846CB66

Function 0042F0D2 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042F171
GetSystemMetrics.USER32 ref: 0042F182
DeleteObject.GDI32 ref: 0042F1EA
SelectObject.GDI32 ref: 0042F244
SelectObject.GDI32 ref: 0042F2D2
DeleteObject.GDI32 ref: 0042F30F

Strings

, xrefs: 0042F29F

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: e9351c781cdd7423028b1a0e61d38f8ddc8ad16ad0321eea0371dd4229369d22
Instruction ID: 7fb678e4427e2b284e0934f582c74d2bd3a248179ef726b0385307aaafabcb86
Opcode Fuzzy Hash: e9351c781cdd7423028b1a0e61d38f8ddc8ad16ad0321eea0371dd4229369d22
Instruction Fuzzy Hash: E9914AB4605B009FC364EF2CD985A16BBF1FB89704B108A6DE89AC7760D731B844CF96

Function 00410FA5 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 366COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00412012
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,?,?), ref: 0041204C

Strings

lx, xrefs: 00411291

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: lx
API String ID: 237503144-3595554650
Opcode ID: 22096bee09bd5474671cc10237d88cb1bbeca8dde8ec04b88883d36a90faa0e3
Instruction ID: 5d3a69eff4a95c2ebedf6f94874777b5e3e680966239c333cf380e08d75b26c3
Opcode Fuzzy Hash: 22096bee09bd5474671cc10237d88cb1bbeca8dde8ec04b88883d36a90faa0e3
Instruction Fuzzy Hash: 2AD199716183818BD334CF14C8A9B9BB7E1BFC6304F04492EE88997391D7799945CBAB

Function 0042B109 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c26af72d09c6abfc4cad20da26e359f66d4419e8eda47ac32b04b71f1fee6bf
Instruction ID: 93225cc52fafecf4d9b6477fd787fd4f6ff2f4f80a3bcdb9d327d7294cb36dd5
Opcode Fuzzy Hash: 3c26af72d09c6abfc4cad20da26e359f66d4419e8eda47ac32b04b71f1fee6bf
Instruction Fuzzy Hash: B3F0A5B45047019FC314DF28E49575ABBE0BB48304F51892DD5D68B751CB74AA48CF42

Function 0042ECA9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042ED27
GetSystemMetrics.USER32 ref: 0042ED38
DeleteObject.GDI32 ref: 0042ED9A
SelectObject.GDI32 ref: 0042EDE8
SelectObject.GDI32 ref: 0042EE76
DeleteObject.GDI32 ref: 0042EEAD

Strings

, xrefs: 0042EE49

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 695b99ea780bb438686103979d889aa75e431560cf685628114eb782f7ae57fb
Instruction ID: a2cb511f5f853d3e17429a697c2af7f20af71dca4cc77ea970b535d0df9a53ed
Opcode Fuzzy Hash: 695b99ea780bb438686103979d889aa75e431560cf685628114eb782f7ae57fb
Instruction Fuzzy Hash: 23815CB4A04B00DFC354EF29D585A1ABBF0FF49314F10896DE99ACB764D731A858CB92

Function 00422EC0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00422FBE
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00422FEE

Strings

_Z, xrefs: 00423004
F, xrefs: 0042300C
_M, xrefs: 00422FFC

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: F$_M$_Z
API String ID: 237503144-862553977
Opcode ID: dcfbdc026cab142696baebdc6674392b94d8334a2ad9550ac871aba0f0847eac
Instruction ID: d93be78fb57612f20b71aa7f19a5cf60f95524bd14bdaba22b8eaab2f151a033
Opcode Fuzzy Hash: dcfbdc026cab142696baebdc6674392b94d8334a2ad9550ac871aba0f0847eac
Instruction Fuzzy Hash: F4A179715183918BE328CF14D450B9FBBE2FFC5308F518A2DE8996B382D7749949CB92

Function 00422044 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00422178
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004221AD

Strings

%P, xrefs: 0042207A
[M, xrefs: 0042206A
IP, xrefs: 00422072

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: %P$IP$[M
API String ID: 237503144-1856547701
Opcode ID: 524c961932da136e3b86b03aba6b960e577ca4b776c6eded0946cf294691a716
Instruction ID: 066c9d0b2f9531f209e750b705a7b72c8120525504c8ad43776b860a3ab93f18
Opcode Fuzzy Hash: 524c961932da136e3b86b03aba6b960e577ca4b776c6eded0946cf294691a716
Instruction Fuzzy Hash: 06417BB5608350AFD324CF25D940A5FBBE5EBC4710F508A2EF9A99B390C7B4D801CB86

Function 0041DBC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0041DCD8
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0041DD09

Strings

qe, xrefs: 0041DC44
ix, xrefs: 0041DC3D

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ix$qe
API String ID: 237503144-631226833
Opcode ID: f970166ea82cc25616ac551c8eec6b0277b860be94b747de544db501f4c54533
Instruction ID: 8dccc910e16ad3b3dcb77308158c2f119e12f607070f466f75316741d0052ec4
Opcode Fuzzy Hash: f970166ea82cc25616ac551c8eec6b0277b860be94b747de544db501f4c54533
Instruction Fuzzy Hash: 9181CAB56007009FE724CF29D881B56BBF1FB89304F104A2DE9968B781E775E845CB95

Function 0042650C Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 443COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00426644

Strings

Wu, xrefs: 00426644
<VXw, xrefs: 004269E7

Memory Dump Source

Source File: 00000003.00000002.1403068197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_regiis.jbxd

Similarity

API ID: FreeLibrary
String ID: <VXw$Wu
API String ID: 3664257935-3952055155
Opcode ID: 32e326bd8da9bf92774132f0953f650f31decba6ef5bebfc91850a85a7836583
Instruction ID: 8c38ddb1536dba232c8e264fcf94d573aa701b108dcbd730389a6b7c662de2d3
Opcode Fuzzy Hash: 32e326bd8da9bf92774132f0953f650f31decba6ef5bebfc91850a85a7836583
Instruction Fuzzy Hash: 34F15B70100B928ED725CF39D860BE7BBE1AF52309F45486DD4EB8B282DB397549CB54

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tGm4SuP0sz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tGm4SuP0sz.exe.log

C:\Users\user\AppData\Roaming\d3d9.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

Windows Analysis Report
tGm4SuP0sz.exe

Function 6D3530C0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 285
COMMON

Function 6D35BE48 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6D35BEF8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6D35BD41 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6D36236F Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 6D38C3F0 Relevance: 20.5, Strings: 16, Instructions: 490
COMMON