Edit tour

Windows Analysis Report
1Gvue8ItW8.exe

Overview

General Information

Sample name:	1Gvue8ItW8.exe renamed because original name is a hash value
Original sample name:	fe70eb0688b5c73484c90d5ac6f0fc19.exe
Analysis ID:	1465835
MD5:	fe70eb0688b5c73484c90d5ac6f0fc19
SHA1:	2dd1e471d617369e56bfcc99856655ed8dd23b96
SHA256:	694bc44ca9827716a989fef8d775bd817d4eab31d510a77f96dee09955bf054d
Tags:	32exetrojan
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1Gvue8ItW8.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\1Gvue8ItW8.exe" MD5: FE70EB0688B5C73484C90D5AC6F0FC19)

RegAsm.exe (PID: 7460 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 268 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "backcreammykiel.shop"], "Build id": "LPnhqo--@SEFYALUV"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Snort Signatures

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	07/02/24-06:41:01.250933
SID:	2053682
Source Port:	58922
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	07/02/24-06:41:01.324781
SID:	2053674
Source Port:	64289
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	07/02/24-06:41:01.355477
SID:	2053670
Source Port:	59976
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	07/02/24-06:41:01.298095
SID:	2053678
Source Port:	59335
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	07/02/24-06:41:01.309411
SID:	2053676
Source Port:	53223
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (backcreammykiel .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	07/02/24-06:41:01.238010
SID:	2053812
Source Port:	53429
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	07/02/24-06:41:01.337871
SID:	2053672
Source Port:	64375
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	07/02/24-06:41:01.366350
SID:	2053668
Source Port:	60066
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	07/02/24-06:41:01.285893
SID:	2053680
Source Port:	60118
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://feighminoritsjda.shop/	Avira URL Cloud: Label: malware
Source: marathonbeedksow.shop	Avira URL Cloud: Label: malware
Source: https://richardflorespoew.shop/api	Avira URL Cloud: Label: malware
Source: https://marathonbeedksow.shop/	Avira URL Cloud: Label: malware
Source: feighminoritsjda.shop	Avira URL Cloud: Label: malware
Source: https://feighminoritsjda.shop/%	Avira URL Cloud: Label: malware
Source: https://strwawrunnygjwu.shop/api	Avira URL Cloud: Label: malware
Source: backcreammykiel.shop	Avira URL Cloud: Label: malware
Source: https://justifycanddidatewd.shop/api	Avira URL Cloud: Label: malware
Source: https://raiseboltskdlwpow.shop/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.1Gvue8ItW8.exe.b90000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "backcreammykiel.shop"], "Build id": "LPnhqo--@SEFYALUV"}

Multi AV Scanner detection for submitted file

Source: 1Gvue8ItW8.exe	ReversingLabs: Detection: 73%
Source: 1Gvue8ItW8.exe	Virustotal: Detection: 59%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1Gvue8ItW8.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: richardflorespoew.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: strwawrunnygjwu.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: justifycanddidatewd.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: raiseboltskdlwpow.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: falseaudiencekd.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: pleasurenarrowsdla.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: feighminoritsjda.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: marathonbeedksow.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: backcreammykiel.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String decryptor: LPnhqo--@SEFYALUV

Source: 1Gvue8ItW8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1Gvue8ItW8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Code function: 0_2_00BAF66C FindFirstFileExW,

0_2_00BAF66C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 22D223F1h	1_2_0043878E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	1_2_004389A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000888h]	1_2_0041E274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	1_2_00420210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	1_2_0041F2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	1_2_00421288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push esi	1_2_00416556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	1_2_0043857C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	1_2_0041C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_004165D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+28h]	1_2_004275B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00403630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	1_2_004146A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ebx	1_2_00437740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, dword ptr [esp+60h]	1_2_004177BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+60h]	1_2_004177BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000238h]	1_2_004138FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	1_2_00439899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00424920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	1_2_004159F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h	1_2_0041FA7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	1_2_00422AD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	1_2_0041CB1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000238h]	1_2_00410B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, edi	1_2_00424BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00426C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000148h]	1_2_00413C3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h	1_2_00415E0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00415E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0041FE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_0040CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], 0000002Bh	1_2_00425F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00426FB0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2053812 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (backcreammykiel .shop) 192.168.2.4:53429 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053682 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop) 192.168.2.4:58922 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053680 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop) 192.168.2.4:60118 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053678 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop) 192.168.2.4:59335 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053676 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop) 192.168.2.4:53223 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053674 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop) 192.168.2.4:64289 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053672 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop) 192.168.2.4:64375 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053670 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop) 192.168.2.4:59976 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2053668 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop) 192.168.2.4:60066 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: richardflorespoew.shop
Source: Malware configuration extractor	URLs: strwawrunnygjwu.shop
Source: Malware configuration extractor	URLs: justifycanddidatewd.shop
Source: Malware configuration extractor	URLs: raiseboltskdlwpow.shop
Source: Malware configuration extractor	URLs: falseaudiencekd.shop
Source: Malware configuration extractor	URLs: pleasurenarrowsdla.shop
Source: Malware configuration extractor	URLs: feighminoritsjda.shop
Source: Malware configuration extractor	URLs: marathonbeedksow.shop
Source: Malware configuration extractor	URLs: backcreammykiel.shop

Source: unknown	DNS traffic detected: query: feighminoritsjda.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: justifycanddidatewd.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: falseaudiencekd.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasurenarrowsdla.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: richardflorespoew.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: backcreammykiel.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: marathonbeedksow.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: strwawrunnygjwu.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: raiseboltskdlwpow.shop replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: backcreammykiel.shop
Source: global traffic	DNS traffic detected: DNS query: marathonbeedksow.shop
Source: global traffic	DNS traffic detected: DNS query: feighminoritsjda.shop
Source: global traffic	DNS traffic detected: DNS query: pleasurenarrowsdla.shop
Source: global traffic	DNS traffic detected: DNS query: falseaudiencekd.shop
Source: global traffic	DNS traffic detected: DNS query: raiseboltskdlwpow.shop
Source: global traffic	DNS traffic detected: DNS query: justifycanddidatewd.shop
Source: global traffic	DNS traffic detected: DNS query: strwawrunnygjwu.shop
Source: global traffic	DNS traffic detected: DNS query: richardflorespoew.shop

Source: 1Gvue8ItW8.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1Gvue8ItW8.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://falseaudiencekd.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://feighminoritsjda.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://feighminoritsjda.shop/%
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://justifycanddidatewd.shop/%
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://justifycanddidatewd.shop/api
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marathonbeedksow.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raiseboltskdlwpow.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raiseboltskdlwpow.shop/api
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raiseboltskdlwpow.shop/apib
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/:W=
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1660995734.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://richardflorespoew.shop/api
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strwawrunnygjwu.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strwawrunnygjwu.shop/api
Source: 1Gvue8ItW8.exe	String found in binary or memory: https://www.entrust.net/rpa0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0042EAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

1_2_0042EAD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0042EAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

1_2_0042EAD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0042F61A GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_0042F61A

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00BA1880	0_2_00BA1880
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00BAD2CE	0_2_00BAD2CE
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00B97A00	0_2_00B97A00
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00BB1CA0	0_2_00BB1CA0
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00BA95A9	0_2_00BA95A9
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00BB3DC6	0_2_00BB3DC6
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00BA464E	0_2_00BA464E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0043A090	1_2_0043A090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0043C0B0	1_2_0043C0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00420210	1_2_00420210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041F2E1	1_2_0041F2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00421288	1_2_00421288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00408340	1_2_00408340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0043A310	1_2_0043A310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0042D33A	1_2_0042D33A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0042B3F9	1_2_0042B3F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00404450	1_2_00404450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00434400	1_2_00434400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00429500	1_2_00429500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0043A5C0	1_2_0043A5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004165D4	1_2_004165D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004225E3	1_2_004225E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00406630	1_2_00406630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041D6F0	1_2_0041D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0042D73D	1_2_0042D73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00410810	1_2_00410810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0042B8B3	1_2_0042B8B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00420947	1_2_00420947
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00427973	1_2_00427973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0042792E	1_2_0042792E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004039E0	1_2_004039E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00427986	1_2_00427986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0043A990	1_2_0043A990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00405994	1_2_00405994
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041CB1E	1_2_0041CB1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00420BC0	1_2_00420BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00424BC0	1_2_00424BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00422CD6	1_2_00422CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0043BD90	1_2_0043BD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00404E30	1_2_00404E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401F40	1_2_00401F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00423F2F	1_2_00423F2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00436FA0	1_2_00436FA0

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: String function: 00B9CC80 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408D40 appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004109A0 appears 198 times

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 268

Source: 1Gvue8ItW8.exe

Static PE information: invalid certificate

Source: 1Gvue8ItW8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/5@9/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0042B0B2 CoCreateInstance,

1_2_0042B0B2

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7436

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0409bcb2-feca-49d1-9075-fa1d0b4d516d

Jump to behavior

Source: 1Gvue8ItW8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1Gvue8ItW8.exe	ReversingLabs: Detection: 73%
Source: 1Gvue8ItW8.exe	Virustotal: Detection: 59%

Source: unknown	Process created: C:\Users\user\Desktop\1Gvue8ItW8.exe "C:\Users\user\Desktop\1Gvue8ItW8.exe"
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 268
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior

Source: 1Gvue8ItW8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1Gvue8ItW8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1Gvue8ItW8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1Gvue8ItW8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1Gvue8ItW8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1Gvue8ItW8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1Gvue8ItW8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1Gvue8ItW8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 1Gvue8ItW8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1Gvue8ItW8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1Gvue8ItW8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1Gvue8ItW8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1Gvue8ItW8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00B9C56A push ecx; ret	0_2_00B9C57D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00442101 push 0000007Bh; retf	1_2_00442103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004422EE push cs; retf	1_2_004422EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0043F35B pushad ; iretd	1_2_0043F369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00442386 push ebp; iretd	1_2_00442387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004426F6 push esp; iretd	1_2_004426E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004426F6 push es; retf	1_2_00442709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00441689 push D379FC65h; retf	1_2_0044168E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00442692 push esp; iretd	1_2_004426E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044173B push 6E8C8D5Fh; ret	1_2_00441745

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

API coverage: 9.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7500

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Code function: 0_2_00BAF66C FindFirstFileExW,

0_2_00BAF66C

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00438320 LdrInitializeThunk,

1_2_00438320

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Code function: 0_2_00BA0943 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BA0943

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00BA6C75 mov ecx, dword ptr fs:[00000030h]		0_2_00BA6C75
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00BADFC5 mov eax, dword ptr fs:[00000030h]		0_2_00BADFC5

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Code function: 0_2_00BB2DB5 GetProcessHeap,

0_2_00BB2DB5

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00BA0943 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BA0943
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00B9CA5E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B9CA5E
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00B9CBBA SetUnhandledExceptionFilter,	0_2_00B9CBBA
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: 0_2_00B9CCF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B9CCF3

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Code function: 0_2_009D018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_009D018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: richardflorespoew.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: strwawrunnygjwu.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: justifycanddidatewd.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: raiseboltskdlwpow.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: falseaudiencekd.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: pleasurenarrowsdla.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: feighminoritsjda.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: marathonbeedksow.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: backcreammykiel.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 87B008	Jump to behavior

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Code function: 0_2_00B9C745 cpuid

0_2_00B9C745

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: GetLocaleInfoW,	0_2_00BB2855
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: EnumSystemLocalesW,	0_2_00BAA198
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00BB21EF
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00BB297E
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: GetLocaleInfoW,	0_2_00BB2A84
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: GetLocaleInfoW,	0_2_00BB23EA
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00BB2B53
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: EnumSystemLocalesW,	0_2_00BB2491
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: EnumSystemLocalesW,	0_2_00BB24DC
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: EnumSystemLocalesW,	0_2_00BB2577
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: GetLocaleInfoW,	0_2_00BAA6BE
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00BB2602

Source: C:\Users\user\Desktop\1Gvue8ItW8.exe

Code function: 0_2_00B9C954 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B9C954

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	411 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	411 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1Gvue8ItW8.exe	74%	ReversingLabs	Win32.Spyware.Lummastealer
1Gvue8ItW8.exe	59%	Virustotal		Browse
1Gvue8ItW8.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
justifycanddidatewd.shop	0%	Avira URL Cloud	safe
https://raiseboltskdlwpow.shop/apib	0%	Avira URL Cloud	safe
https://feighminoritsjda.shop/	100%	Avira URL Cloud	malware
http://ocsp.entrust.net02	0%	Avira URL Cloud	safe
http://www.entrust.net/rpa03	0%	Avira URL Cloud	safe
pleasurenarrowsdla.shop	0%	Avira URL Cloud	safe
marathonbeedksow.shop	100%	Avira URL Cloud	malware
richardflorespoew.shop	0%	Avira URL Cloud	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	Avira URL Cloud	safe
https://raiseboltskdlwpow.shop/	0%	Avira URL Cloud	safe
falseaudiencekd.shop	0%	Avira URL Cloud	safe
https://justifycanddidatewd.shop/%	0%	Avira URL Cloud	safe
https://richardflorespoew.shop/api	100%	Avira URL Cloud	malware
https://strwawrunnygjwu.shop/	0%	Avira URL Cloud	safe
https://marathonbeedksow.shop/	100%	Avira URL Cloud	malware
feighminoritsjda.shop	100%	Avira URL Cloud	malware
https://feighminoritsjda.shop/%	100%	Avira URL Cloud	malware
strwawrunnygjwu.shop	0%	Avira URL Cloud	safe
https://richardflorespoew.shop/	0%	Avira URL Cloud	safe
https://strwawrunnygjwu.shop/api	100%	Avira URL Cloud	malware
raiseboltskdlwpow.shop	0%	Avira URL Cloud	safe
http://crl.entrust.net/ts1ca.crl0	0%	Avira URL Cloud	safe
backcreammykiel.shop	100%	Avira URL Cloud	malware
https://justifycanddidatewd.shop/api	100%	Avira URL Cloud	malware
https://richardflorespoew.shop/:W=	0%	Avira URL Cloud	safe
https://www.entrust.net/rpa0	0%	Avira URL Cloud	safe
https://falseaudiencekd.shop/	0%	Avira URL Cloud	safe
https://raiseboltskdlwpow.shop/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
justifycanddidatewd.shop	unknown	unknown	true	unknown
richardflorespoew.shop	unknown	unknown	true	unknown
strwawrunnygjwu.shop	unknown	unknown	true	unknown
falseaudiencekd.shop	unknown	unknown	true	unknown
raiseboltskdlwpow.shop	unknown	unknown	true	unknown
backcreammykiel.shop	unknown	unknown	true	unknown
marathonbeedksow.shop	unknown	unknown	true	unknown
feighminoritsjda.shop	unknown	unknown	true	unknown
pleasurenarrowsdla.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
justifycanddidatewd.shop	true	Avira URL Cloud: safe	unknown
marathonbeedksow.shop	true	Avira URL Cloud: malware	unknown
pleasurenarrowsdla.shop	true	Avira URL Cloud: safe	unknown
richardflorespoew.shop	true	Avira URL Cloud: safe	unknown
falseaudiencekd.shop	true	Avira URL Cloud: safe	unknown
feighminoritsjda.shop	true	Avira URL Cloud: malware	unknown
strwawrunnygjwu.shop	true	Avira URL Cloud: safe	unknown
raiseboltskdlwpow.shop	true	Avira URL Cloud: safe	unknown
backcreammykiel.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://raiseboltskdlwpow.shop/apib	RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://feighminoritsjda.shop/	RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.entrust.net03	1Gvue8ItW8.exe	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	1Gvue8ItW8.exe	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	1Gvue8ItW8.exe	false	Avira URL Cloud: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	1Gvue8ItW8.exe	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
https://raiseboltskdlwpow.shop/	RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://justifycanddidatewd.shop/%	RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://richardflorespoew.shop/api	RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1660995734.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://strwawrunnygjwu.shop/	RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marathonbeedksow.shop/	RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://feighminoritsjda.shop/%	RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://richardflorespoew.shop/	RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://strwawrunnygjwu.shop/api	RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/ts1ca.crl0	1Gvue8ItW8.exe	false	Avira URL Cloud: safe	unknown
https://justifycanddidatewd.shop/api	RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://richardflorespoew.shop/:W=	RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	1Gvue8ItW8.exe	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	1Gvue8ItW8.exe	false	Avira URL Cloud: safe	unknown
https://falseaudiencekd.shop/	RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raiseboltskdlwpow.shop/api	RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465835
Start date and time:	2024-07-02 06:40:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1Gvue8ItW8.exe renamed because original name is a hash value
Original Sample Name:	fe70eb0688b5c73484c90d5ac6f0fc19.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/5@9/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 17 Number of non-executed functions: 96
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
00:41:00	API Interceptor	1x Sleep call for process: RegAsm.exe modified
00:41:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1Gvue8ItW8.exe_7bc3b5b58e175b56deb741256a6753d5c1f43_7ae6c50f_5aa95db8-f190-41a7-b596-b18fc1c3b665\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6472544734601396
Encrypted:	false
SSDEEP:	96:qUFfEqaspqnqvesDqwhqA1yDfRgBQXIDcQvc6QcEVcw3cE/Mqdqm+HbHg/5hZAXz:79CspeZT0BU/YjhzuiFjZ24IO8n
MD5:	8FABC5C5010ED1FFD30521BAC5485686
SHA1:	B5F039D5D23F80C2DA6C60A603C8F19159E1E445
SHA-256:	7A495B5F09DBBB812146ECC3EA4F8B48B6D54410B7467202D6668BD5C412A345
SHA-512:	C8A89FEDE8E33B6E0A7AA8C5D5B6946B41B2144433758EB46D604B56E38BEFA6F5CE5B8DD0F488A3BA3AB2CFBD70A1C0E08EFF423F72DDFC6AEE3C668AF47F08
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.6.8.8.6.0.3.1.2.6.7.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.6.8.8.6.0.6.8.7.6.6.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.a.9.5.d.b.8.-.f.1.9.0.-.4.1.a.7.-.b.5.9.6.-.b.1.8.f.c.1.c.3.b.6.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.1.d.d.e.0.2.-.7.b.c.7.-.4.e.d.b.-.8.1.0.d.-.f.8.5.9.7.9.2.5.9.6.9.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.G.v.u.e.8.I.t.W.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.0.c.-.0.0.0.1.-.0.0.1.4.-.4.8.f.3.-.6.0.0.9.3.a.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.6.3.9.1.1.2.6.9.7.4.a.1.b.e.0.2.a.c.b.f.3.3.a.e.7.8.0.d.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.2.d.d.1.e.4.7.1.d.6.1.7.3.6.9.e.5.6.b.f.c.c.9.9.8.5.6.6.5.5.e.d.8.d.d.2.3.b.9.6.!.1.G.v.u.e.8.I.t.W.8...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE817.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Jul 2 04:41:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	49250
Entropy (8bit):	1.601952085694189
Encrypted:	false
SSDEEP:	192:vLWOjYZKrVAmkDyhLsKQGsA8Rfz3TH/8FLuWK29a8h:DhcZAAmkMLsLG8LTcLuhEv
MD5:	0979DE0B94F78CE389E0C1CBD3B23997
SHA1:	FDCC43979D8B9AB67D42D7E6A88E190F59C5BC06
SHA-256:	8912AA708D951794F2881B3BD166712812DABBE772F0266B945D199916516EAE
SHA-512:	BC2D4253EFE15105E8A088FC77121E112182FC0EB66840B6BB655D63A38D9DCAA67BD57B8418DDB5D2BF469843142BBDBF601DF64A5AF25D73745EFDAB39B6C0
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........f........................d...........................T.......8...........T...........................`...........L...............................................................................eJ..............GenuineIntel............T.............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE866.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.6937116651571333
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1t6X7oY6Y9DSU511gmfVJDtprj89b6VsfIMem:R6lXJv6LoY6YZSU5ngmfVJDE6ufIc
MD5:	73C6B53E55830C9D6A76410C34E2B35B
SHA1:	C38FE91D7E2393763E6DC2AB5690CABF5721BBA6
SHA-256:	5AFA8D6F1C4F35EB50A01D828F50D888319E397764BA834203F5002A80751DC4
SHA-512:	478EDE1137572DF8AB8D4162B2CE8C9180D0DCCDDB280305E55162A5B162856D25ADC219695987AF3D9759035FE4261FE5E0C81CB86CC0731DD57ED093B39E21
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8B5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4585
Entropy (8bit):	4.45616596130131
Encrypted:	false
SSDEEP:	48:cvIwWl8zsfJg77aI9KdWpW8VYq0Ym8M4JetiFI+q8Z8XDYUdd:uIjfBI7Is7VVBJep4OYUdd
MD5:	A9B03C0AE355F25CF30E15337876E1CB
SHA1:	C5F8141630310BDA711F77419E9BA5C3263E9B59
SHA-256:	BA1F7D0E8BB2A8A84918A05DEE01C0245223667702229B2AA1F4420E70946F5A
SHA-512:	6BA96D6F6B28F1B4BEE77F17CC1CEA63C9DD31B8BEF0B51715402A5D305CA10D94588642E80DF26D5795D7B60AD1850DF8217A48AE85F02DA3451A5C4191EDB1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="392863" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465454833572974
Encrypted:	false
SSDEEP:	6144:3IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNVdwBCswSbt:4XD94+WlLZMM6YFHj+t
MD5:	55B958130979EAF7BDBDF92CF39D0D66
SHA1:	24D562C92E286CB6AB2C2A3291262D8C8FF0C668
SHA-256:	A51DCF5D5E4830585DA5AD95A2F90B44E6E81E73AFC15C244CB42D7879226ADB
SHA-512:	4B9E927648B45A4501BBFE79AF4B7EB1D39EF3718471293554BB593B46F096D881DFA08196BBFDEBF8A5E4388615EB5A78ED8902752266065029382A0158F498
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*...:................................................................................................................................................................................................................................................................................................................................................Y.=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.628794944649711
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1Gvue8ItW8.exe
File size:	552'488 bytes
MD5:	fe70eb0688b5c73484c90d5ac6f0fc19
SHA1:	2dd1e471d617369e56bfcc99856655ed8dd23b96
SHA256:	694bc44ca9827716a989fef8d775bd817d4eab31d510a77f96dee09955bf054d
SHA512:	9b8516894ec06c54456612ef7f8d7c3f1f2f11fd56d2a3e9cd8587f31c761c0efb4ada9d0d48ffd314532fa3f0daf1777ca5232f5b89b230cc4fb17ace408454
SSDEEP:	12288:rTxrdC4vcMwARLIkzjLA2K9wiNOvPOVPQp8FGwSV8zt4Iy9qHEO:HPCfHa0wq6mPQySVO2Iy9At
TLSH:	31C4E11075C18076D5A305330AE4DBB66E3DF9604B615DCFA3941F7E8F302D2AB3AA96
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\.j...j...j..R....j..R.../j..R....j..C....j..R....j...j...j..C....j..C....j..r....j..r.c..j..r....j..Rich.j..........PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40c1e6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66705B34 [Mon Jun 17 15:50:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6d2bc796d2349b15e473ed3f5470c136

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007F595501A2DBh
jmp 00007F5955019999h
push ebp
mov ebp, esp
jmp 00007F5955019B2Fh
push dword ptr [ebp+08h]
call 00007F5955025E93h
pop ecx
test eax, eax
je 00007F5955019B31h
push dword ptr [ebp+08h]
call 00007F5955022CEAh
pop ecx
test eax, eax
je 00007F5955019B08h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F595501A5D0h
jmp 00007F5955017A94h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F595501A5DCh
pop ecx
pop ebp
ret
jmp 00007F595501A5D4h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F5955019B3Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F5955019B2Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F5955019B2Eh
add edx, 28h
cmp edx, esi
jne 00007F5955019B0Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F5955019B1Bh
push esi
call 00007F595501A58Fh
test eax, eax
je 00007F5955019B42h
mov eax, dword ptr fs:[00000018h]
mov esi, 00483730h
mov edx, dword ptr [eax+04h]
jmp 00007F5955019B26h
cmp edx, eax
je 00007F5955019B32h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F5955019B12h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34554	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x85000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x84800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x2278	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x31ab8	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x31b00	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x319f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x29000	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27cd2	0x27e00	3d86e11aca45fd75da860af6147a4d53	False	0.5593345905172413	data	6.6394300411668	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0xbdba	0xbe00	3997197f4b3e5331dc35d69835b455a8	False	0.41720805921052634	data	5.016603150146324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x35000	0x4f244	0x4e200	102a6a450ebad67120f6b7d60824325e	False	0.9819875	data	7.988228551613357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x85000	0x1e0	0x200	b8d21ff7b0411c01c391d7037524e407	False	0.52734375	data	4.7122981932940915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0x2278	0x2400	9e825894a0ce8ec3d015bfd41cde4fb3	False	0.7376302083333334	data	6.453522958282726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x85060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

WriteConsoleW, HeapSize, CreateFileW, CloseHandle, WaitForSingleObject, CreateThread, VirtualAlloc, RaiseException, InitOnceBeginInitialize, InitOnceComplete, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, WideCharToMultiByte, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetProcessHeap, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-06:41:01.250933	UDP	2053682	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop)	58922	53	192.168.2.4	1.1.1.1
07/02/24-06:41:01.324781	UDP	2053674	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop)	64289	53	192.168.2.4	1.1.1.1
07/02/24-06:41:01.355477	UDP	2053670	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop)	59976	53	192.168.2.4	1.1.1.1
07/02/24-06:41:01.298095	UDP	2053678	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop)	59335	53	192.168.2.4	1.1.1.1
07/02/24-06:41:01.309411	UDP	2053676	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop)	53223	53	192.168.2.4	1.1.1.1
07/02/24-06:41:01.238010	UDP	2053812	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (backcreammykiel .shop)	53429	53	192.168.2.4	1.1.1.1
07/02/24-06:41:01.337871	UDP	2053672	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop)	64375	53	192.168.2.4	1.1.1.1
07/02/24-06:41:01.366350	UDP	2053668	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop)	60066	53	192.168.2.4	1.1.1.1
07/02/24-06:41:01.285893	UDP	2053680	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop)	60118	53	192.168.2.4	1.1.1.1

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 06:41:01.238009930 CEST	53429	53	192.168.2.4	1.1.1.1
Jul 2, 2024 06:41:01.249537945 CEST	53	53429	1.1.1.1	192.168.2.4
Jul 2, 2024 06:41:01.250932932 CEST	58922	53	192.168.2.4	1.1.1.1
Jul 2, 2024 06:41:01.259865999 CEST	53	58922	1.1.1.1	192.168.2.4
Jul 2, 2024 06:41:01.285892963 CEST	60118	53	192.168.2.4	1.1.1.1
Jul 2, 2024 06:41:01.296669006 CEST	53	60118	1.1.1.1	192.168.2.4
Jul 2, 2024 06:41:01.298094988 CEST	59335	53	192.168.2.4	1.1.1.1
Jul 2, 2024 06:41:01.307109118 CEST	53	59335	1.1.1.1	192.168.2.4
Jul 2, 2024 06:41:01.309411049 CEST	53223	53	192.168.2.4	1.1.1.1
Jul 2, 2024 06:41:01.320616961 CEST	53	53223	1.1.1.1	192.168.2.4
Jul 2, 2024 06:41:01.324780941 CEST	64289	53	192.168.2.4	1.1.1.1
Jul 2, 2024 06:41:01.336265087 CEST	53	64289	1.1.1.1	192.168.2.4
Jul 2, 2024 06:41:01.337871075 CEST	64375	53	192.168.2.4	1.1.1.1
Jul 2, 2024 06:41:01.347536087 CEST	53	64375	1.1.1.1	192.168.2.4
Jul 2, 2024 06:41:01.355477095 CEST	59976	53	192.168.2.4	1.1.1.1
Jul 2, 2024 06:41:01.364279985 CEST	53	59976	1.1.1.1	192.168.2.4
Jul 2, 2024 06:41:01.366349936 CEST	60066	53	192.168.2.4	1.1.1.1
Jul 2, 2024 06:41:01.375494957 CEST	53	60066	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 06:41:01.238009930 CEST	192.168.2.4	1.1.1.1	0xb23c	Standard query (0)	backcreammykiel.shop	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.250932932 CEST	192.168.2.4	1.1.1.1	0x4dc7	Standard query (0)	marathonbeedksow.shop	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.285892963 CEST	192.168.2.4	1.1.1.1	0xa455	Standard query (0)	feighminoritsjda.shop	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.298094988 CEST	192.168.2.4	1.1.1.1	0x767f	Standard query (0)	pleasurenarrowsdla.shop	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.309411049 CEST	192.168.2.4	1.1.1.1	0xc173	Standard query (0)	falseaudiencekd.shop	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.324780941 CEST	192.168.2.4	1.1.1.1	0xbbb8	Standard query (0)	raiseboltskdlwpow.shop	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.337871075 CEST	192.168.2.4	1.1.1.1	0xab75	Standard query (0)	justifycanddidatewd.shop	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.355477095 CEST	192.168.2.4	1.1.1.1	0x65c2	Standard query (0)	strwawrunnygjwu.shop	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.366349936 CEST	192.168.2.4	1.1.1.1	0xcc5d	Standard query (0)	richardflorespoew.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 06:41:01.249537945 CEST	1.1.1.1	192.168.2.4	0xb23c	Name error (3)	backcreammykiel.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.259865999 CEST	1.1.1.1	192.168.2.4	0x4dc7	Name error (3)	marathonbeedksow.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.296669006 CEST	1.1.1.1	192.168.2.4	0xa455	Name error (3)	feighminoritsjda.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.307109118 CEST	1.1.1.1	192.168.2.4	0x767f	Name error (3)	pleasurenarrowsdla.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.320616961 CEST	1.1.1.1	192.168.2.4	0xc173	Name error (3)	falseaudiencekd.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.336265087 CEST	1.1.1.1	192.168.2.4	0xbbb8	Name error (3)	raiseboltskdlwpow.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.347536087 CEST	1.1.1.1	192.168.2.4	0xab75	Name error (3)	justifycanddidatewd.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.364279985 CEST	1.1.1.1	192.168.2.4	0x65c2	Name error (3)	strwawrunnygjwu.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 2, 2024 06:41:01.375494957 CEST	1.1.1.1	192.168.2.4	0xcc5d	Name error (3)	richardflorespoew.shop	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:40:59
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\1Gvue8ItW8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1Gvue8ItW8.exe"
Imagebase:	0xb90000
File size:	552'488 bytes
MD5 hash:	FE70EB0688B5C73484C90D5AC6F0FC19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:40:59
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x6c0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:41:00
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 268
Imagebase:	0x420000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0.3%
Signature Coverage:	4.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 009D018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,009D00FF,009D00EF), ref: 009D02FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 009D030F
Wow64GetThreadContext.KERNEL32(000000F0,00000000), ref: 009D032D
ReadProcessMemory.KERNELBASE(000000F4,?,009D0143,00000004,00000000), ref: 009D0351
VirtualAllocEx.KERNELBASE(000000F4,?,?,00003000,00000040), ref: 009D037C
WriteProcessMemory.KERNELBASE(000000F4,00000000,?,?,00000000,?), ref: 009D03D4
WriteProcessMemory.KERNELBASE(000000F4,00400000,?,?,00000000,?,00000028), ref: 009D041F
WriteProcessMemory.KERNELBASE(000000F4,-00000008,?,00000004,00000000), ref: 009D045D
Wow64SetThreadContext.KERNEL32(000000F0,00B60000), ref: 009D0499
ResumeThread.KERNELBASE(000000F0), ref: 009D04A8

Strings

GetP, xrefs: 009D020F
ress, xrefs: 009D0217
ReadProcessMemory, xrefs: 009D027A
GetThreadContext, xrefs: 009D0267
VirtualAlloc, xrefs: 009D0254
ResumeThread, xrefs: 009D02C9
WriteProcessMemory, xrefs: 009D02A0
SetThreadContext, xrefs: 009D02B3
aryA, xrefs: 009D01D3
VirtualAllocEx, xrefs: 009D028D
TerminateProcess, xrefs: 009D038B
CreateProcessA, xrefs: 009D0241
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 009D02FB
Load, xrefs: 009D01CB

Memory Dump Source

Source File: 00000000.00000002.1792839089.00000000009D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_1Gvue8ItW8.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction ID: 45c187fb517586fa1566c82a763f7e56e73b5f56ccc57b7aa2b6590a47f9117e
Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction Fuzzy Hash: EAB1F67264024AAFDB60CF68CC80BDA77A9FF88714F158525EA0CEB341D774FA418B94

Function 00BAEC8D Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00BAED14
__alloca_probe_16.LIBCMT ref: 00BAEDD5
__freea.LIBCMT ref: 00BAEE3C

Part of subcall function 00BAD17B: HeapAlloc.KERNEL32(00000000,?,?,?,00B9C20A,?,?,00B9193D,?,?,00B9949E,?,?), ref: 00BAD1AD

__freea.LIBCMT ref: 00BAEE51
__freea.LIBCMT ref: 00BAEE61

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 4e301a6740b954828f5a60157603395ee8ddeff425138098c5bf031a20c1c888
Instruction ID: af0ba572b67e57b67180bca6423c7a2ba840ce3138f50afb268fb70cc7b332ad
Opcode Fuzzy Hash: 4e301a6740b954828f5a60157603395ee8ddeff425138098c5bf031a20c1c888
Instruction Fuzzy Hash: C5518E72608206AFEF219F64CC81EBB3AE9EF46750F1505B8FD29D7150E731DD508660

Function 00B98E80 Relevance: 4.5, APIs: 3, Instructions: 16
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00009470,00000000,00000000,00000000), ref: 00B98E90
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B98E9B
CloseHandle.KERNEL32(00000000), ref: 00B98EA2

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: CloseCreateHandleObjectSingleThreadWait
String ID:
API String ID: 51348343-0
Opcode ID: 9033bde07684bbf24e85fc48c6a2eb39ff5163fa653539d547776ddf6bc18ad2
Instruction ID: 66456dcfd59b299c75a4e89e86b413bef7acdf72372f9aa77cbbff7741dec6ed
Opcode Fuzzy Hash: 9033bde07684bbf24e85fc48c6a2eb39ff5163fa653539d547776ddf6bc18ad2
Instruction Fuzzy Hash: F5D01231285230BBFA7137247C0FF993A549B06B31F600340F721BA2F04ED0240185BD

Function 00BB0118 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BAFC48: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00BAFC73

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00BAFF5F,?,00000000,?,00000000,?), ref: 00BB0179
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BAFF5F,?,00000000,?,00000000,?), ref: 00BB01BB

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 168b3d967a5f7e2414e5f77322474c28b193038d00d2a08cf03b8ccb7180bc85
Instruction ID: b646b6a262915324c0801688fd3dd7357872f57f74e13e1b108c4b03d19fbeb6
Opcode Fuzzy Hash: 168b3d967a5f7e2414e5f77322474c28b193038d00d2a08cf03b8ccb7180bc85
Instruction Fuzzy Hash: 5E515570A103459FDB25EFB5C8896FFBBF4EF45300F1480AED18697252E6B49949CB80

Function 00B99470 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 124
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?), ref: 00B9951E

Strings

MZx, xrefs: 00B9954E, 00B99553

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: AllocVirtual
String ID: MZx
API String ID: 4275171209-2575928145
Opcode ID: 4bbbd7cad2e43b0383db912d2c2cdac0976232ca6c0efaebcfad7514cc383766
Instruction ID: 7cc498fe81e09d20284f4374125046e781564525f7fcb68da9bf560ebb1d2bec
Opcode Fuzzy Hash: 4bbbd7cad2e43b0383db912d2c2cdac0976232ca6c0efaebcfad7514cc383766
Instruction Fuzzy Hash: F5412571D002149BDF11EB78DC45BEEB7F4EF19310F1402B9F904A7282EB75AA808764

Function 00BAA7FB Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00BAED7B,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00BAA82F
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00BAED7B,?,?,00000000,?,00000000), ref: 00BAA84D

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 4243d38941234fa2eff74080e91ce1e31cfbd835d93f34b2871cf81e76120115
Instruction ID: 96225d78fa25b713fb22b42c69268822cafe496051bc6d093f3e7925d21cdf76
Opcode Fuzzy Hash: 4243d38941234fa2eff74080e91ce1e31cfbd835d93f34b2871cf81e76120115
Instruction Fuzzy Hash: FFF07A3240411ABBCF126F90EC09DDE3FA6EF593A0F058165FE1825020CB36C972EBA1

Function 00BA9C4C Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00BB11D3,?,00000000,?,?,00BB1474,?,00000007,?,?,00BB196D,?,?), ref: 00BA9C62
GetLastError.KERNEL32(?,?,00BB11D3,?,00000000,?,?,00BB1474,?,00000007,?,?,00BB196D,?,?), ref: 00BA9C6D

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 04566f70082bfa0172ff5b78d4365e788e9db077037ed1e426d07d53c7ae1533
Instruction ID: 69194037f0b1179367fca0499ea847e05a304dcf3fabd52c754319b189dd770a
Opcode Fuzzy Hash: 04566f70082bfa0172ff5b78d4365e788e9db077037ed1e426d07d53c7ae1533
Instruction Fuzzy Hash: 38E01232104614FBCB113FB5ED09B993BE8EB42765F5081A0FB0C97171EE749950DBA4

Function 00BAFD1C Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,00BAFF6B,00BAFF5F,00000000), ref: 00BAFD4E

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 7f02b2d260c413c769b020684d4970d0d036efc268d0cb2b52306bfe13419e9a
Instruction ID: ba78a22f04250b85783725f2126a1329cc32178bb1258278bba189d7817416ee
Opcode Fuzzy Hash: 7f02b2d260c413c769b020684d4970d0d036efc268d0cb2b52306bfe13419e9a
Instruction Fuzzy Hash: 675147B19082599ADB228E68CD84AFA7BF8EB57304F2405FDE59AC7152C3319D468B20

Function 00BA9BEF Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00BA90BE,00000001,00000364,?,00000002,000000FF,?,?,00BA0D62,00BAD1BE,?), ref: 00BA9C30

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d25fc64caed33d0646a91b7fc0f8161a5662655e900e5411229125d3d35380a6
Instruction ID: df937d43fcc3d28ec3c5ed958f29b1253e83755d1db252823b66e2946922ce0c
Opcode Fuzzy Hash: d25fc64caed33d0646a91b7fc0f8161a5662655e900e5411229125d3d35380a6
Instruction Fuzzy Hash: D4F0B43164D92566DB216B258C45B9B77C8EB53B70F1881A1AC189A091FE30E80166A0

Non-executed Functions

Function 00BB3DC6 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1441COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00BB3FAA

Strings

1#SNAN, xrefs: 00BB3ED2
1#QNAN, xrefs: 00BB3ED9
1#INF, xrefs: 00BB3EFC
1#IND, xrefs: 00BB3ECB

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2514053b633b8aa31e1d0535e6e6be5254609d91e224ec5ad4af270aea42fc29
Instruction ID: ea48f4cc579d942b70cbf8c6f019f22206510d30099efeff6adf57ec6b8bb3c6
Opcode Fuzzy Hash: 2514053b633b8aa31e1d0535e6e6be5254609d91e224ec5ad4af270aea42fc29
Instruction Fuzzy Hash: F6D21771E086288FDB65CE28DD807EAB7F5FB44305F1445EAD44EA7241DBB8AE818F41

Function 00BB297E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00BB2C9C,00000002,00000000,?,?,?,00BB2C9C,?,00000000), ref: 00BB2A17
GetLocaleInfoW.KERNEL32(?,20001004,00BB2C9C,00000002,00000000,?,?,?,00BB2C9C,?,00000000), ref: 00BB2A40
GetACP.KERNEL32(?,?,00BB2C9C,?,00000000), ref: 00BB2A55

Strings

OCP, xrefs: 00BB29D2
ACP, xrefs: 00BB299C

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 546c87b96726edd282c2784d95810a83dc9763a8773949d3077181ef2c24bd48
Instruction ID: d3ec66a13512fb873546f9558811f9c0e52956c06006c16f93c96953c1bb4441
Opcode Fuzzy Hash: 546c87b96726edd282c2784d95810a83dc9763a8773949d3077181ef2c24bd48
Instruction Fuzzy Hash: 7D21FC62A00100ABEB318F24C801AF773E6EB54B50B1688F0E94AD7218EBF2DE41D360

Function 00BB2B53 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BA8F20: GetLastError.KERNEL32(?,00000008,00BA9F60), ref: 00BA8F24
Part of subcall function 00BA8F20: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00BA8FC6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00BB2C5F
IsValidCodePage.KERNEL32(00000000), ref: 00BB2CA8
IsValidLocale.KERNEL32(?,00000001), ref: 00BB2CB7
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00BB2CFF
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00BB2D1E

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 0b78b3c490b6b3e93b7d87145809853139ba656b9e6671f96c1e589ef25c1911
Instruction ID: 651594ab725911b6c844297fd8d76a0d9a9af5633ea8380aa5a905cfe80a55c4
Opcode Fuzzy Hash: 0b78b3c490b6b3e93b7d87145809853139ba656b9e6671f96c1e589ef25c1911
Instruction Fuzzy Hash: F3514071A00605AFDF10DFA5DC85AFE7BF8EF18700F1445A9A911E71A1EBF0D9408B61

Function 00BB21EF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BA8F20: GetLastError.KERNEL32(?,00000008,00BA9F60), ref: 00BA8F24
Part of subcall function 00BA8F20: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00BA8FC6

GetACP.KERNEL32(?,?,?,?,?,?,00BA75B4,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00BB22B0
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00BA75B4,?,?,?,00000055,?,-00000050,?,?), ref: 00BB22DB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00BB243E

Strings

utf8, xrefs: 00BB23AD

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: fc060a5c27a30312cf4e241478b805efe29a0462f17d61e241b28a6431d17942
Instruction ID: a9cdcd1cf95003bf0c4668ba3f80dc836ec8b81d2adee15024455f6f7b8fbf63
Opcode Fuzzy Hash: fc060a5c27a30312cf4e241478b805efe29a0462f17d61e241b28a6431d17942
Instruction Fuzzy Hash: E771E571A00206ABEB24AB74CC86BFA73E8EF59740F1444A9F905DB181FBF4E9408765

Function 00BAD2CE Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00BAD35B

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: af5af7e577b4181119ea57b5f8589b4cd2dab420a335f791aa1a2a725df60e81
Instruction ID: d091107b57e73694d0f2a3ab11983cb3cf1d840c20dee1b474bf6ebebc7242ec
Opcode Fuzzy Hash: af5af7e577b4181119ea57b5f8589b4cd2dab420a335f791aa1a2a725df60e81
Instruction Fuzzy Hash: 20B13672D082559FDF158F68C881BFEBBE5EF5A304F1481EAE806AB741D6349D01CBA1

Function 00B9CA5E Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00B9CA6A
IsDebuggerPresent.KERNEL32 ref: 00B9CB36
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B9CB4F
UnhandledExceptionFilter.KERNEL32(?), ref: 00B9CB59

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1e96cc761437b0560afdbd851c2e020037b75eaebabf0f966e467c026e7f31fd
Instruction ID: 9ee2f189c7a87bea24b0673aa14205a822555676229475ed26ed624ecedb892e
Opcode Fuzzy Hash: 1e96cc761437b0560afdbd851c2e020037b75eaebabf0f966e467c026e7f31fd
Instruction Fuzzy Hash: E831E475D012189BDF20EFA5D9897CDBBB8AF08300F5041EAE50CAB250EB719A84CF45

Function 00BB2602 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00BA8F20: GetLastError.KERNEL32(?,00000008,00BA9F60), ref: 00BA8F24
Part of subcall function 00BA8F20: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00BA8FC6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BB2656
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BB26A0
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BB2766

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: a8e270cf526f4c90d97ebfd6cd80c89aed62257c0f924616dc717f832c65fc61
Instruction ID: c95aa48376a2f2c9032b00c4875119e92b76eae3e95d0ba178edaf350e08fccd
Opcode Fuzzy Hash: a8e270cf526f4c90d97ebfd6cd80c89aed62257c0f924616dc717f832c65fc61
Instruction Fuzzy Hash: 30615971A042179FEB289F29CC82BFAB7E8EF14300F1041E9E905D6585EBB4DD81DB94

Function 00BA0943 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 00BA0A3B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 00BA0A45
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 00BA0A52

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8d4e3d272ddaaafd8a56b0e40c42c69a7f9cc582c014a94f5804f667434ab941
Instruction ID: 5ba275575be40ed6ff53609049033f16ef63d736f418d94de1470025861569b0
Opcode Fuzzy Hash: 8d4e3d272ddaaafd8a56b0e40c42c69a7f9cc582c014a94f5804f667434ab941
Instruction Fuzzy Hash: 603192749112189BCB21EF65D98978DBBF8BF18310F5041EAE51CA7251EB709F858F44

Function 00BA1880 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6ae3fd9483a391f05e8f627912ce56f86d589dfd76ba79aad035c388c53a6b
Instruction ID: b4d5a540640ff3620461dcb6e3d4217623399e3001985c28d95b3a4531275f4c
Opcode Fuzzy Hash: af6ae3fd9483a391f05e8f627912ce56f86d589dfd76ba79aad035c388c53a6b
Instruction Fuzzy Hash: 58F12C71E052199FDF14CF6DC880AADB7F1EF89324F1586A9E815AB390E730AD05CB94

Function 00BA95A9 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 00BA97D6

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4b13fd7eacb78ec65e2fc50d71992c019d676bf75c33b1694e7ebf95633c3543
Instruction ID: 1957f805f4c5750cbea992b71316c7702522220a19677220f9bfe79309067a17
Opcode Fuzzy Hash: 4b13fd7eacb78ec65e2fc50d71992c019d676bf75c33b1694e7ebf95633c3543
Instruction Fuzzy Hash: 86B15A35624608DFDB19CF28C486B657BE0FF46364F258698E89ACF2A1C735ED81DB40

Function 00B9C745 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B9C75B

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ff4e21ae3e0196d739bb8beab7663ffe729e32e470ef115cb08f0e0c01a62266
Instruction ID: 5e3aeb0dc0ab22023ee3fb00f5cbf8d0f63047131cb2ea1145b64f2cefa6d763
Opcode Fuzzy Hash: ff4e21ae3e0196d739bb8beab7663ffe729e32e470ef115cb08f0e0c01a62266
Instruction Fuzzy Hash: 895147B1A00645CBEB19CF59D9867AEBBF0FB49358F14C5AAD405EB290D3749E01CFA0

Function 00BAF66C Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b15bd5ec7a740bd85ea4a33a7312636155f7c7886b53dc2ae9b0305431c9be
Instruction ID: a0d5697b863b5dc835ed39cfab8f18c35e9b7c0a5e7cebf1536c08e393810d97
Opcode Fuzzy Hash: c2b15bd5ec7a740bd85ea4a33a7312636155f7c7886b53dc2ae9b0305431c9be
Instruction Fuzzy Hash: A7417275808219AFDF209FB9CC89AFABBF9EB46304F1442E9E458D3211DA359E458F10

Function 00BA464E Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

0, xrefs: 00BA47DC

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a09506f314829c4894c3238bc7ecc2bb3346f162d1671b72ecaffef87c49290e
Instruction ID: 2549591ddfaf58ab3ece0c652dbc87c2d6c780a57e9d6d393b724346396309dd
Opcode Fuzzy Hash: a09506f314829c4894c3238bc7ecc2bb3346f162d1671b72ecaffef87c49290e
Instruction Fuzzy Hash: 58C1BF74A086868FCB24CF68C4806ABB7F1FFC7310F2446E9D4969B691C7B4AD49CB51

Function 00BB2855 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00BA8F20: GetLastError.KERNEL32(?,00000008,00BA9F60), ref: 00BA8F24
Part of subcall function 00BA8F20: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00BA8FC6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BB28A9

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d55729d56d51791eadfdd87faa614ef92172a9513b642e59df80cbc28700d1c1
Instruction ID: 14652f8eba9d2d2fc17e7b27a0a6666f57a9503eca9dbc96cfdb36941e289791
Opcode Fuzzy Hash: d55729d56d51791eadfdd87faa614ef92172a9513b642e59df80cbc28700d1c1
Instruction Fuzzy Hash: E0217F72A0420AAFEB289B25DC42AFA73E8EF45314F1040BAF905D6145EAB5ED448650

Function 00BB24DC Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BA8F20: GetLastError.KERNEL32(?,00000008,00BA9F60), ref: 00BA8F24
Part of subcall function 00BA8F20: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00BA8FC6

EnumSystemLocalesW.KERNEL32(00BB2602,00000001,00000000,?,-00000050,?,00BB2C33,00000000,?,?,?,00000055,?), ref: 00BB254E

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7f95f00f113003e0a19a97dcab17ca63845cdfbde0a40220ca05f32e916698ed
Instruction ID: 3c593afe451876414a22f9bd9fbe12312c89cc8e717b07c1653bfb326ac39da1
Opcode Fuzzy Hash: 7f95f00f113003e0a19a97dcab17ca63845cdfbde0a40220ca05f32e916698ed
Instruction Fuzzy Hash: 5C1108376007059FDB289F39D8A16BAB7D2FF94358B14446CE98787B40E7B1B942D740

Function 00BB2A84 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00BA8F20: GetLastError.KERNEL32(?,00000008,00BA9F60), ref: 00BA8F24
Part of subcall function 00BA8F20: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00BA8FC6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00BB281E,00000000,00000000,?), ref: 00BB2AB0

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: bcc621bfccc93eb99509ea9eef45d2cab837a852583896e28040a8923be19a9e
Instruction ID: 0d5f02ef2afaf7d1406515736b564491549d0f953cb30904732b7220353f8088
Opcode Fuzzy Hash: bcc621bfccc93eb99509ea9eef45d2cab837a852583896e28040a8923be19a9e
Instruction Fuzzy Hash: 8BF0A9326005127BDB3467248C45AFB77D8EB40758F2544A5ED06A3580EAB5FE42C590

Function 00BB23EA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00BA8F20: GetLastError.KERNEL32(?,00000008,00BA9F60), ref: 00BA8F24
Part of subcall function 00BA8F20: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00BA8FC6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00BB243E

Strings

utf8, xrefs: 00BB23AD

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: b8356529b4fc1cd8dd70c71521592a2f27b9c4236e626a4aaea4685dd8319332
Instruction ID: 463b4c0451564ef08295e07e9ab59064ac944f80f56d4062e1047b43b02ecc82
Opcode Fuzzy Hash: b8356529b4fc1cd8dd70c71521592a2f27b9c4236e626a4aaea4685dd8319332
Instruction Fuzzy Hash: 1AF0A433A14106ABDB14AB24DC4AAFA73E8DB49354F1541B9B606DB281EE74AD058790

Function 00BB2577 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BA8F20: GetLastError.KERNEL32(?,00000008,00BA9F60), ref: 00BA8F24
Part of subcall function 00BA8F20: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00BA8FC6

EnumSystemLocalesW.KERNEL32(00BB2855,00000001,?,?,-00000050,?,00BB2BF7,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00BB25C1

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b5d09a88f76ec002083494c700eb8b36bd5448836b2e96be0d5d88538b52d230
Instruction ID: 844af3fafc4ba9220350a1c3c7acc8f3eb419bc01ed40ef130c35bf580f186ba
Opcode Fuzzy Hash: b5d09a88f76ec002083494c700eb8b36bd5448836b2e96be0d5d88538b52d230
Instruction Fuzzy Hash: 3AF0F0362003046FDB245F39DC96ABA7BD5FF84768F0584ACFE458BA90DAF1AC42C650

Function 00BAA198 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BA5359: EnterCriticalSection.KERNEL32(?,?,00BA85AF,00000000,00BC4230,0000000C,00BA8576,?,?,00BA9C22,?,?,00BA90BE,00000001,00000364,?), ref: 00BA5368

EnumSystemLocalesW.KERNEL32(00BAA18B,00000001,00BC4398,0000000C,00BAA5BA,00000000), ref: 00BAA1D0

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 7bb5e897a534db4c5abb42fa8ab714f33e5cdedb37f15506fe3f9ee556196db5
Instruction ID: 5e3587a90d3f30c1faf90c3e0473851cab5d7fa662fa6e08c0beb67194e028e3
Opcode Fuzzy Hash: 7bb5e897a534db4c5abb42fa8ab714f33e5cdedb37f15506fe3f9ee556196db5
Instruction Fuzzy Hash: D9F04F72A14204EFDB00DF98E842B9D7BF0FB46725F0081AAF411E72A0C7B54A01CB95

Function 00BB2491 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BA8F20: GetLastError.KERNEL32(?,00000008,00BA9F60), ref: 00BA8F24
Part of subcall function 00BA8F20: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00BA8FC6

EnumSystemLocalesW.KERNEL32(00BB23EA,00000001,?,?,?,00BB2C55,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00BB24C8

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0d0694a9f611e1f49ee0a8d9c8612283759d4b37f55f59f90e7dfbefb1b0ff99
Instruction ID: f8da5a4475ecb267c4d2ac7eb185c9ebc6105056823e1a3ec87ce13bc8a8f389
Opcode Fuzzy Hash: 0d0694a9f611e1f49ee0a8d9c8612283759d4b37f55f59f90e7dfbefb1b0ff99
Instruction Fuzzy Hash: 16F0E5363002056BDB14AF39D8556BA7FD4EFC2764B064098FB058B690D6B59843C7A0

Function 00BAA6BE Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00BA811A,?,20001004,00000000,00000002,?,?,00BA771C), ref: 00BAA6F2

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 47c47f9a8a7dd4acd79b59d8d852e175d9e19dedb8eeef76a858752df14c0806
Instruction ID: bf1fc34da10cae4acb5a9fdc9e9c716254bc1d35be75a958c3860d068b701035
Opcode Fuzzy Hash: 47c47f9a8a7dd4acd79b59d8d852e175d9e19dedb8eeef76a858752df14c0806
Instruction Fuzzy Hash: 5AE04F31544219BBCF122F64DC09AEE3F59EF45761F044091FD0566120CB728D61EAA6

Function 00B9CBBA Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000CBC6,00B9C057), ref: 00B9CBBF

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a7604ec4b3d391624764f4aa35cc2c575f8136baa38b2699af73fa9a615e5053
Instruction ID: edffd012f1695595bb5f459a7a7133054636de4c73a25f136fd7f6e57c36ab0e
Opcode Fuzzy Hash: a7604ec4b3d391624764f4aa35cc2c575f8136baa38b2699af73fa9a615e5053
Instruction Fuzzy Hash:

Function 00BB2DB5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00BB2DB5

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 5a9af41208e3b647d08f23fffce6811d6e85421160be14c1d088381eb088d0d4
Instruction ID: e87ad94f9dceb3ec16b5b0c92319d1dff7043cce5e0c425c7e244767b77a7abc
Opcode Fuzzy Hash: 5a9af41208e3b647d08f23fffce6811d6e85421160be14c1d088381eb088d0d4
Instruction Fuzzy Hash: FFA01130202202CB83808F30AA0838C3AAAAA0AB80B088028A80CC2030EA308080AA02

Function 00B97A00 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68d157ed3f23d2e7f712cb80350cb65e748a041e233389d36e2ce437137fa02
Instruction ID: da001a919bedc117ce7d9b6f9347d57b7f59bdcd20a62a736f531ff9b9819bff
Opcode Fuzzy Hash: d68d157ed3f23d2e7f712cb80350cb65e748a041e233389d36e2ce437137fa02
Instruction Fuzzy Hash: A4D1AE729187409FCB14DF28C841A2FBBE5FFC9344F054AADF985A7211EB30E9448B92

Function 00BB1CA0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 42b7fa85c6344ce83373d20aab8300f1e43932c152fddb5b788e9f2871902126
Instruction ID: bbe9081eb2db3d49288bd7199bfb05ce63f9322835c527076666a67bc34ad402
Opcode Fuzzy Hash: 42b7fa85c6344ce83373d20aab8300f1e43932c152fddb5b788e9f2871902126
Instruction Fuzzy Hash: 97B117755007029BDB349F29CCA2AF7B3E8EF45308F9449ADEA47C6580EBB5E945CB10

Function 00BADFC5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64790d26a2dc6237abb0fb2d2b8c559971759db760470901cd63eb1399a2f77a
Instruction ID: 04da8b237a030443b997c1ce2ddaac54fc1036bb81e90139c76524c0559d59b6
Opcode Fuzzy Hash: 64790d26a2dc6237abb0fb2d2b8c559971759db760470901cd63eb1399a2f77a
Instruction Fuzzy Hash: A7E08C32915228EFCB14DB8DC944D8AF3ECEB4AB50B11009AF502D3200CA70DE00C7D0

Function 00BA6C75 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ce65965f677a269b1c60671c8da158d5b00d0bbadb482b9f42c654bd54b25c
Instruction ID: e15933e91b374665055a825c9ccdadbda085a11f376a03163b500c8c921ea892
Opcode Fuzzy Hash: 91ce65965f677a269b1c60671c8da158d5b00d0bbadb482b9f42c654bd54b25c
Instruction Fuzzy Hash: 5DC08C750049804ACF29CA1082713A933E4E793792F8808CCC4430BBC2E51EAC82D640

Function 00B922D0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B922E5
std::_Lockit::_Lockit.LIBCPMT ref: 00B922FF
std::_Lockit::~_Lockit.LIBCPMT ref: 00B92320
std::_Lockit::~_Lockit.LIBCPMT ref: 00B92378
std::_Lockit::_Lockit.LIBCPMT ref: 00B923BD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B9240E
__Getctype.LIBCPMT ref: 00B92425
std::_Facet_Register.LIBCPMT ref: 00B9244F
std::_Lockit::~_Lockit.LIBCPMT ref: 00B92468

Strings

($j, xrefs: 00B922F0, 00B9245E
bad locale name, xrefs: 00B92477

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
String ID: ($j$bad locale name
API String ID: 2236780835-2769417048
Opcode ID: 69cddbba7e37e9342aee78433fff38bd3c1ab820f606d2433b4d01ab81e47ca5
Instruction ID: b357816b487b258d9522b0b39d4d8af8ba587fdcef3a8ded9182584b7c9d543c
Opcode Fuzzy Hash: 69cddbba7e37e9342aee78433fff38bd3c1ab820f606d2433b4d01ab81e47ca5
Instruction Fuzzy Hash: 2D41F331908390AFCB11DF14D880BAABBE0FF91714F1585ACE8859B362D735E945CBD2

Function 00B92140 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B92152
std::_Lockit::_Lockit.LIBCPMT ref: 00B9216F
std::_Lockit::~_Lockit.LIBCPMT ref: 00B92190
std::_Lockit::~_Lockit.LIBCPMT ref: 00B921EB
std::_Lockit::_Lockit.LIBCPMT ref: 00B9222C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B9226F
std::_Facet_Register.LIBCPMT ref: 00B92298
std::_Lockit::~_Lockit.LIBCPMT ref: 00B922B1

Strings

bad locale name, xrefs: 00B922C0

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Locinfo::_Locinfo_ctorRegister
String ID: bad locale name
API String ID: 3126792616-1405518554
Opcode ID: 3dfdabef3e895de65311e2561544725de807202aae20ada7542d32358d57fea8
Instruction ID: 340145446c0a891ec6dbcb505d776b8c0479f9e74c64df077c5d73c86c048f08
Opcode Fuzzy Hash: 3dfdabef3e895de65311e2561544725de807202aae20ada7542d32358d57fea8
Instruction Fuzzy Hash: 9A41AD72904350AFCB11DF18D880A9ABBE0FF95710F1584BDE989A7361DB31EE05CB92

Function 00B92490 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B924A2
std::_Lockit::_Lockit.LIBCPMT ref: 00B924BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00B924E0
std::_Lockit::~_Lockit.LIBCPMT ref: 00B9253B
std::_Lockit::_Lockit.LIBCPMT ref: 00B9257C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B925BF
std::_Facet_Register.LIBCPMT ref: 00B925E8
std::_Lockit::~_Lockit.LIBCPMT ref: 00B92601

Strings

bad locale name, xrefs: 00B92610

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Locinfo::_Locinfo_ctorRegister
String ID: bad locale name
API String ID: 3126792616-1405518554
Opcode ID: a8a502ae7aeb1ca1cb1105661979990a316f48a217ab76f403310452d0968294
Instruction ID: b597bb2a68c8e67c416bdd4a11de83f3693b087cb96d269913a77608297abdcb
Opcode Fuzzy Hash: a8a502ae7aeb1ca1cb1105661979990a316f48a217ab76f403310452d0968294
Instruction Fuzzy Hash: 4E41AD71908340AFCB10DF18D890A9ABBE4FB95710F1688ADE88997361D731EE45CB92

Function 00B95860 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B958C1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B95908
Concurrency::cancel_current_task.LIBCPMT ref: 00B959CA
Concurrency::cancel_current_task.LIBCPMT ref: 00B959CF
Concurrency::cancel_current_task.LIBCPMT ref: 00B959D4

Strings

false, xrefs: 00B95962
bad locale name, xrefs: 00B959D9
true, xrefs: 00B95988

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name$false$true
API String ID: 164343898-1062449267
Opcode ID: a1cf1cc62b3e6a9ab114f5b1ca013f0ebc2e1b4d1deb2e4e5d3442a51189b422
Instruction ID: f71f8d416bf96d10124cc7d43a6dec614e5647d77fc18b7d6c093e5ea825b8a5
Opcode Fuzzy Hash: a1cf1cc62b3e6a9ab114f5b1ca013f0ebc2e1b4d1deb2e4e5d3442a51189b422
Instruction Fuzzy Hash: 384102705493409FDB20EF68888179ABBE4FF85710F4449BEF5889B342E7B0D905CBA2

Function 00B9BF05 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B9BF0B
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00B9BF19
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00B9BF2A
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00B9BF3B

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00B9BF1F
kernel32.dll, xrefs: 00B9BF06
GetTempPath2W, xrefs: 00B9BF30
GetCurrentPackageId, xrefs: 00B9BF13

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 676e815e005e2461f53649c76ebc81d5842c03ef2077e99d186edaaaf86fcbc6
Instruction ID: 4954899c2eebf486b6b756b745ab314e4c9578141a4209f8a3916cede9bda776
Opcode Fuzzy Hash: 676e815e005e2461f53649c76ebc81d5842c03ef2077e99d186edaaaf86fcbc6
Instruction Fuzzy Hash: 83E0B671A95260BF8B20AFB0AC49ADA3EA4BA5A6113408652B501D32B4EAF046408B61

Function 00B9F8A8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B9F9C7
___TypeMatch.LIBVCRUNTIME ref: 00B9FAD5
_UnwindNestedFrames.LIBCMT ref: 00B9FC27
CallUnexpected.LIBVCRUNTIME ref: 00B9FC42

Strings

csm, xrefs: 00B9F8E5
csm, xrefs: 00B9F952
csm, xrefs: 00B9F9FE

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 40ddbdb3c391d248ce8b7a4684fd7c3eb0e015b8c653cb73d1e7504e94a067d8
Instruction ID: 64efbc99c08c9326fa91bc081f39bd44ce1f771fe6d5ae70d88f3395f3a6ff55
Opcode Fuzzy Hash: 40ddbdb3c391d248ce8b7a4684fd7c3eb0e015b8c653cb73d1e7504e94a067d8
Instruction Fuzzy Hash: 2FB1477180020AAFCF19DFA4D991ABEBBF5FF14324F1441BAE815AB212D731DA51CB91

Function 00BAC9F6 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00BACC6F

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 8ea82962b1fd3e4ad16b4035ed532e2b0592bfa1da98ea10e141e43a01666e88
Instruction ID: 785678d144abc897182e2fc6539a3c60f735b2512660f8ad8f4783d965401af8
Opcode Fuzzy Hash: 8ea82962b1fd3e4ad16b4035ed532e2b0592bfa1da98ea10e141e43a01666e88
Instruction Fuzzy Hash: 16B1F571A08249AFDB15DF98C980BAD7FF1EF47314F1481E4E858AB292D7719D42CBA0

Function 00BB71BF Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0069FD48,0069FD48,?,7FFFFFFF,?,00BB748F,0069FD48,0069FD48,?,0069FD48,?,?,?,?,0069FD48,?), ref: 00BB7265
__alloca_probe_16.LIBCMT ref: 00BB7320
__alloca_probe_16.LIBCMT ref: 00BB73AF
__freea.LIBCMT ref: 00BB73FA
__freea.LIBCMT ref: 00BB7400
__freea.LIBCMT ref: 00BB7436
__freea.LIBCMT ref: 00BB743C
__freea.LIBCMT ref: 00BB744C

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 7b5d1971e63cf992710cdceb84e5d0e6a99cb0148bdb61ef4113fcc8406be057
Instruction ID: 18e6f38d627e5916df9e53edae9b30539955dbc9f18f3140f8b518a64d677203
Opcode Fuzzy Hash: 7b5d1971e63cf992710cdceb84e5d0e6a99cb0148bdb61ef4113fcc8406be057
Instruction Fuzzy Hash: DA71B1729882055FDF219AA48C82FFE7BE9DF86310F2500D9F945A7281EFB5D801C7A5

Function 00B9BD1B Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00B9BD64
__alloca_probe_16.LIBCMT ref: 00B9BD90
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00B9BDCF
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B9BDEC
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B9BE2B
__alloca_probe_16.LIBCMT ref: 00B9BE48
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B9BE8A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B9BEAD

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 68b9fa7dc612a14bff198c96ec886f16945b441a9fa1cf71519df873e3567f2f
Instruction ID: 55c01e36017043020829064ddc4119562f778f3037fe63b47ed6bbe490397d98
Opcode Fuzzy Hash: 68b9fa7dc612a14bff198c96ec886f16945b441a9fa1cf71519df873e3567f2f
Instruction Fuzzy Hash: 1051BC7250061AAFEF209F61ED85FEB7BE9EF45750F1149B5FA0096190D7748C00CB60

Function 00BAA361 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,0C3C7A9A,?,00BAA46E,?,?,?,00000000), ref: 00BAA422

Strings

ext-ms-, xrefs: 00BAA3CC
api-ms-, xrefs: 00BAA3B8

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 9f4b58deeb5c1023cb4720677682f9a50b8707e6131688c7f52f0fd484cee149
Instruction ID: 857400cce833d72df0207c86529bb11183ff759ab04b5bb12e7d330e3bd6ff36
Opcode Fuzzy Hash: 9f4b58deeb5c1023cb4720677682f9a50b8707e6131688c7f52f0fd484cee149
Instruction Fuzzy Hash: D221E732A05251ABCB21AB249C84AAE77E8DF47760F1442A0FD15A7390EFB0ED04C6F1

Function 00B92620 Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B9262D
std::_Lockit::_Lockit.LIBCPMT ref: 00B9264B
std::_Lockit::~_Lockit.LIBCPMT ref: 00B9266C
std::_Lockit::~_Lockit.LIBCPMT ref: 00B926BC
std::_Facet_Register.LIBCPMT ref: 00B926E6
std::_Lockit::~_Lockit.LIBCPMT ref: 00B926FF

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register
String ID:
API String ID: 1858714459-0
Opcode ID: 0943d3ee0cd98a2b1020a2abc586e1c8af66c187cd34d1064720c84a78c8b1aa
Instruction ID: eea8becafddd740227b1751b9fa6b313dae716a9e49f0ec11de8e726475b284f
Opcode Fuzzy Hash: 0943d3ee0cd98a2b1020a2abc586e1c8af66c187cd34d1064720c84a78c8b1aa
Instruction Fuzzy Hash: 4021F831900250AFCF11DF14E881A9EBBE0FB86324F1585BDE88557261DB31EE0ACBD2

Function 00B9F53A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B9F531,00B9DC6D,00B9AB8F,0C3C7A9A,?,?,?,?,00BB8872,000000FF), ref: 00B9F548
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B9F556
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B9F56F
SetLastError.KERNEL32(00000000,?,00B9F531,00B9DC6D,00B9AB8F,0C3C7A9A,?,?,?,?,00BB8872,000000FF), ref: 00B9F5C1

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 33bea3f7aaf043f4c8b980a482d689da56d14e5e23988c8adc5ef9e607f84ada
Instruction ID: cd8b3d08c818b32bf6c3d71d1b5177ab1242fadd611e12f04cb264679415059a
Opcode Fuzzy Hash: 33bea3f7aaf043f4c8b980a482d689da56d14e5e23988c8adc5ef9e607f84ada
Instruction Fuzzy Hash: FA01D43651C2125EEE243A74AC8577A26D8EB237F5B2283BAF610C21F0EF518C029240

Function 00BA6C97 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,0C3C7A9A,?,?,00000000,00BB8A7C,000000FF,?,00BA6C27,?,?,00BA6BFB,00000016), ref: 00BA6CCC
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BA6CDE
FreeLibrary.KERNEL32(00000000,?,00000000,00BB8A7C,000000FF,?,00BA6C27,?,?,00BA6BFB,00000016), ref: 00BA6D00

Strings

CorExitProcess, xrefs: 00BA6CD6
mscoree.dll, xrefs: 00BA6CC5

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a5cb48b053d69bb3598b061eaf4ce14f408797186db1cd1af884ecfc2ae73490
Instruction ID: 0866929b7050a6ef5f2fcd9e0f832276d5cad43e0366b2b449e5eccab5aa2419
Opcode Fuzzy Hash: a5cb48b053d69bb3598b061eaf4ce14f408797186db1cd1af884ecfc2ae73490
Instruction Fuzzy Hash: BD01A271A04629EFDB119F44DC49BFEBBF8FB04B50F044265EC11A22E0DFB49804CA50

Function 00B9AD78 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B9AD8C
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,0C3C7A9A), ref: 00B9ADAB
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B9ADD9
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B9AE34
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B9AE4B

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 3c21253323f14df3d4f4f59a38d80dda987e8ea9a0df9769e8a79e23bb1cb76e
Instruction ID: bbedd1d0409ddf96239b3547f3fdb6e1fca74619ef11ca30810d4ce61634daa2
Opcode Fuzzy Hash: 3c21253323f14df3d4f4f59a38d80dda987e8ea9a0df9769e8a79e23bb1cb76e
Instruction Fuzzy Hash: 6A413830900A06DFCF20DF65D4809AAB3F9FF09351B604AB9E54697950D730F985CBA2

Function 00B9B216 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B9B21D
std::_Lockit::_Lockit.LIBCPMT ref: 00B9B228
std::_Lockit::~_Lockit.LIBCPMT ref: 00B9B296

Part of subcall function 00B9B379: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00B9B391

std::locale::_Setgloballocale.LIBCPMT ref: 00B9B243
_Yarn.LIBCPMT ref: 00B9B259

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 749174a82f0d7c8aaab6caa99b095aad9d31f4e1562dc3c3dda7ff8b35b6b597
Instruction ID: 39d0d7fa59585e1da7237421408b151460a1759976554928849fc2fa7c1e4d46
Opcode Fuzzy Hash: 749174a82f0d7c8aaab6caa99b095aad9d31f4e1562dc3c3dda7ff8b35b6b597
Instruction Fuzzy Hash: AF01D431A002119BDF06EB20D985ABD7FF5FF85750B1540A8E801573A2CF74AE42DBC6

Function 00BA0632 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00BA05E3,00000000,00000001,00C13ACC,?,?,?,00BA0786,00000004,InitializeCriticalSectionEx,00BBB150,InitializeCriticalSectionEx), ref: 00BA063F
GetLastError.KERNEL32(?,00BA05E3,00000000,00000001,00C13ACC,?,?,?,00BA0786,00000004,InitializeCriticalSectionEx,00BBB150,InitializeCriticalSectionEx,00000000,?,00BA053D), ref: 00BA0649
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00B9F4A3), ref: 00BA0671

Strings

api-ms-, xrefs: 00BA0656

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f974f38525b20fd476e1a6f1e2607c84edfad72fe9e873a4867c5d8cf8ccb771
Instruction ID: b1f21893bf5734ae7731d83c7f36aa8a65dc9b4be57516376d7c050b7d5242bd
Opcode Fuzzy Hash: f974f38525b20fd476e1a6f1e2607c84edfad72fe9e873a4867c5d8cf8ccb771
Instruction Fuzzy Hash: 8FE01A30284204BFEF203B61EC06B693AE5AF41B54F504060FA0CE84A1DFA2982089A4

Function 00BAAF47 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(0C3C7A9A,00000000,00000000,00000000), ref: 00BAAFAA

Part of subcall function 00BAF00D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00BAEE32,?,00000000,-00000008), ref: 00BAF0B9

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BAB205
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00BAB24D
GetLastError.KERNEL32 ref: 00BAB2F0

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 2fc36d755125fb3e79b3667ce9fa978e75205eaa8613ab0c3fa29e51c2b055c0
Instruction ID: 6affce1bbe407141212f8ed17e77d9967487145a6e12f65b1d415348025378dd
Opcode Fuzzy Hash: 2fc36d755125fb3e79b3667ce9fa978e75205eaa8613ab0c3fa29e51c2b055c0
Instruction Fuzzy Hash: 5FD14BB5D042489FCB15CFE8D880AEDBBF5FF4A304F1841AAE925EB252D730A945CB50

Function 00B95660 Relevance: 6.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00B95716
std::_Throw_Cpp_error.LIBCPMT ref: 00B95721
std::_Throw_Cpp_error.LIBCPMT ref: 00B95825
std::_Throw_Cpp_error.LIBCPMT ref: 00B95830

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 3ec27c3f9272dfcaffb6932c175bb84e7f14f21c3b7a8746133af53c0f4b8ae4
Instruction ID: b552e9fc315bbbf25f6fbcf479261be93bf1d001bd00d2361d837d2dadf5ec2d
Opcode Fuzzy Hash: 3ec27c3f9272dfcaffb6932c175bb84e7f14f21c3b7a8746133af53c0f4b8ae4
Instruction Fuzzy Hash: 19510571800B40ABEF36AB749846B5BBBD4EF11300F044DBDF59606992D7B5A948C7A3

Function 00B9F651 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B9F718
___AdjustPointer.LIBCMT ref: 00B9F73B
___AdjustPointer.LIBCMT ref: 00B9F7D7

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 39e47e625f5bd290170701ba83f5ff47df04b90648cd5ad001cb4e041ff520fb
Instruction ID: be5f24ec3983d861b4516cf60a7a060ef0f1f62b4d1558309a2e2a6e7ceeeca6
Opcode Fuzzy Hash: 39e47e625f5bd290170701ba83f5ff47df04b90648cd5ad001cb4e041ff520fb
Instruction Fuzzy Hash: 81519C72A04207AFEF299FA0D881BBA77E4EF04720F1445BDE915872A1D735AC40CB90

Function 00BAF429 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00BAF00D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00BAEE32,?,00000000,-00000008), ref: 00BAF0B9

GetLastError.KERNEL32 ref: 00BAF48D
__dosmaperr.LIBCMT ref: 00BAF494
GetLastError.KERNEL32(?,?,?,?), ref: 00BAF4CE
__dosmaperr.LIBCMT ref: 00BAF4D5

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 1fff2ce16c26348e4939269466784bbf4315b889127d091828c09ecb05e6a4d1
Instruction ID: 27650d51d5680da6d425cb618177bd60906b15f53c4077a3be5a74f38a101481
Opcode Fuzzy Hash: 1fff2ce16c26348e4939269466784bbf4315b889127d091828c09ecb05e6a4d1
Instruction Fuzzy Hash: 7C218871608606AFDB20AFE1C8909BB77E9EF0636471085B9F95997251DF30ED418790

Function 00BA5D9F Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7458342202ed267df22c38dce282617f8f8c68e334b2618d478534c74d4c34
Instruction ID: 6b9e5d50c76bbdadb950fbbe7f6cddf1fe9adf6a9c791bc4b739e247d449a1b6
Opcode Fuzzy Hash: ef7458342202ed267df22c38dce282617f8f8c68e334b2618d478534c74d4c34
Instruction Fuzzy Hash: 4E218171208A05AFDB30AF618C90D6B77EDEF0336471145A5F969D7151EB30EF5087A0

Function 00BB03BF Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BB03C7

Part of subcall function 00BAF00D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00BAEE32,?,00000000,-00000008), ref: 00BAF0B9

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BB03FF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BB041F

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: d7b3fad67adf80d43f07c1cfe1363cbfc8d046bcda469db4bb691a27020fd845
Instruction ID: a9e61ec5b1fb4d7f87c494dec121c95442c2702bd8fb0a583c6fa8c075fa0074
Opcode Fuzzy Hash: d7b3fad67adf80d43f07c1cfe1363cbfc8d046bcda469db4bb691a27020fd845
Instruction Fuzzy Hash: 3A11ADF16156167F6B1137B59C8ECFF3AECDE863A571105E4FA02A2211FEA08E0192B1

Function 00BB6BE7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00BB3C3A,00000000,00000001,00000000,00000000,?,00BAB344,00000000,00000000,00000000), ref: 00BB6BFE
GetLastError.KERNEL32(?,00BB3C3A,00000000,00000001,00000000,00000000,?,00BAB344,00000000,00000000,00000000,00000000,00000000,?,00BAB8CB,00000000), ref: 00BB6C0A

Part of subcall function 00BB6BD0: CloseHandle.KERNEL32(FFFFFFFE,00BB6C1A,?,00BB3C3A,00000000,00000001,00000000,00000000,?,00BAB344,00000000,00000000,00000000,00000000,00000000), ref: 00BB6BE0

___initconout.LIBCMT ref: 00BB6C1A

Part of subcall function 00BB6B92: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00BB6BC1,00BB3C27,00000000,?,00BAB344,00000000,00000000,00000000,00000000), ref: 00BB6BA5

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00BB3C3A,00000000,00000001,00000000,00000000,?,00BAB344,00000000,00000000,00000000,00000000), ref: 00BB6C2F

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6b158d5eb316dc7f17f5f208f89909ef61cd81c534302977a0b757831a455bd1
Instruction ID: e95d4614b2e2df836cad892d415b448313932eef96bd8e06474b8cce3965f892
Opcode Fuzzy Hash: 6b158d5eb316dc7f17f5f208f89909ef61cd81c534302977a0b757831a455bd1
Instruction Fuzzy Hash: FAF0C03650012CBBCF222F95DC19ADD3F76FB0A3B1F548154FA5896130CA768D20EB90

Function 00B9F340 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B9F37F
__IsNonwritableInCurrentImage.LIBCMT ref: 00B9F433

Strings

csm, xrefs: 00B9F41D

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: a21538b824931b59cc17e577da50b84cfea458df3cd3965778cf3fee0cb7bf91
Instruction ID: 452261fc859b38448d08cbc7563daa1209fb7a081e24ee06d83388687a81aa28
Opcode Fuzzy Hash: a21538b824931b59cc17e577da50b84cfea458df3cd3965778cf3fee0cb7bf91
Instruction Fuzzy Hash: A341B230A04209ABCF10EF68C881AAEBBF5EF45324F14C1F5E9149B392D775D901CB90

Function 00B9FC4D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00B9FC72

Strings

MOC, xrefs: 00B9FC84
RCC, xrefs: 00B9FC8C

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 1227a90e758e99c44e5d845ed387a02af9475fcda0b98a807ae571abc1f7a955
Instruction ID: 6c15f0aacd700970ad018a1fdd76d03915f7835aa3b3b87ef3263e9b66111cff
Opcode Fuzzy Hash: 1227a90e758e99c44e5d845ed387a02af9475fcda0b98a807ae571abc1f7a955
Instruction Fuzzy Hash: 0A41387290020AAFCF15DFA8C981AEEBBF5FF48324F1481B9F914A7261D3359951DB50

Function 00B9AC50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B9ACD8
RaiseException.KERNEL32(?,?,?,?,?,00000000), ref: 00B9ACFD

Part of subcall function 00B9CFC0: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B9CCE1,?,?,?,?,00B9CCE1,?,00BC379C), ref: 00B9D020

Part of subcall function 00BA0D70: IsProcessorFeaturePresent.KERNEL32(00000017,00BA0942,?,00BA08B1,00000001,00000016,00BA0AC0,?,?,?,?,?,00000000), ref: 00BA0D8C

Strings

csm, xrefs: 00B9AC8C

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 5d6a63569d0a9b3afc865de02a5719ce85c0fa2c298bf063e0d76862b02e1b7c
Instruction ID: a0a0c0b7f7af560bb3cd14ce4cc165bde80d5c82779432e0c3db93f67d9e505f
Opcode Fuzzy Hash: 5d6a63569d0a9b3afc865de02a5719ce85c0fa2c298bf063e0d76862b02e1b7c
Instruction Fuzzy Hash: C0218072D002189BCF24DF94D845AAEBBF9FF04710F5444A9E805AF290C734AD45CBD2

Function 00B96B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00B96B7E
std::_Throw_Cpp_error.LIBCPMT ref: 00B96B89

Strings

This function cannot be called on a default constructed task, xrefs: 00B960D6

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID: This function cannot be called on a default constructed task
API String ID: 2134207285-3567850458
Opcode ID: ab5dabfe104b8a6828bdefc8a6e8b10899e93dee27eb1b301e4132826966d426
Instruction ID: 9f94d483b5962b7c0c9ed64c40ceced9de9c5d4893e1742cf314230192c55875
Opcode Fuzzy Hash: ab5dabfe104b8a6828bdefc8a6e8b10899e93dee27eb1b301e4132826966d426
Instruction Fuzzy Hash: 02112931504300AFDF25AB64D806BABB7E4EF51700F0449FCF599865A1E7B1A458CB93

Function 00BA6DD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00BA6DD5
GetCommandLineW.KERNEL32 ref: 00BA6DE0

Strings

%i, xrefs: 00BA6DDB

Memory Dump Source

Source File: 00000000.00000002.1792917918.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.1792901079.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792938752.0000000000BB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792985424.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_1Gvue8ItW8.jbxd

Similarity

API ID: CommandLine
String ID: %i
API String ID: 3253501508-950836615
Opcode ID: 65d25806847c90e1056840edba40fc5d63de5fa50399fe520b08c48fd73d3819
Instruction ID: 46d853b7f6f35125323eac6f73a49e35792e7f34e54c9ab838c83e1737fbad9a
Opcode Fuzzy Hash: 65d25806847c90e1056840edba40fc5d63de5fa50399fe520b08c48fd73d3819
Instruction Fuzzy Hash: A2B048788102428B8704AF20BDCEB883AB4B64A3063C04195DA2283220EA740202CA00

Analysis Process: RegAsm.exePID: 7460, Parent PID: 7436COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.3%
Total number of Nodes:	38
Total number of Limit Nodes:	1

Executed Functions

Function 00438320 Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043B2FC,005C003F,00000006,?,?,00000018,FCFDFEFF,?,bA), ref: 00438346

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 0043878E Relevance: .2, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044b874a55659fa948095ef11831204bb356b2225e975078b5d7879ccd68c00b
Instruction ID: 2cf05e4cf8f6f6dbf893debbf2c53f162e7b1a22df841908556717fdb3880936
Opcode Fuzzy Hash: 044b874a55659fa948095ef11831204bb356b2225e975078b5d7879ccd68c00b
Instruction Fuzzy Hash: 4A515474600B019FD338CF04C991B23B7E2AB89704F249A1DE5965BBA5DB75F802CB48

Function 004389A3 Relevance: .1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c95184dcf7c07f8d7c13873dbb68fca03d6ede8ffde89fc6f6fcd018078773
Instruction ID: 79eb86affbbb3008090b733135b6854575ca707f7b79335950cbdad60a3e140a
Opcode Fuzzy Hash: a2c95184dcf7c07f8d7c13873dbb68fca03d6ede8ffde89fc6f6fcd018078773
Instruction Fuzzy Hash: BF213974604B418BD728CF04D4E0A37F7A2EF8A304F24A95EE49747B55CB75AC46DB48

Function 004092D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00409329

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 004092FB

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 621844428-780655312
Opcode ID: 6bb019bc48d639c8d66610fb0196f6cd95211f2d8c0977f5060d02f71867bf4a
Instruction ID: c9cb50bf6bf141655dc87ef0ae3040be436f68c1221d25903396ab8f3c92cebf
Opcode Fuzzy Hash: 6bb019bc48d639c8d66610fb0196f6cd95211f2d8c0977f5060d02f71867bf4a
Instruction Fuzzy Hash: 24E0393040C201D9CA54BB7192522A977A46FA8308F11483FEDC1B12E3DB3D884A9A6F

Function 00437AD7 Relevance: 3.0, APIs: 2, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNEL32 ref: 00437AD7
GetLogicalDrives.KERNELBASE ref: 00437AE2

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: b540a48382952d41cb8f3814b904b0b0bdefd46bf9d723699629da43a78b1796
Instruction ID: a47c07ae15452c95a21e58e00c346428eb9ef769f1dc06488aa2f6ad3c72eddf
Opcode Fuzzy Hash: b540a48382952d41cb8f3814b904b0b0bdefd46bf9d723699629da43a78b1796
Instruction Fuzzy Hash: 3CC012786112009FC708A725EC150197731EB46609315903EE40242365CE3684098A4D

Function 0040A690 Relevance: 1.8, APIs: 1, Instructions: 317
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 0040A7C3

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fcdacc4a8362a72f717871775c4339c361b00aa55d82c45d43573f11ad3fc477
Instruction ID: 694cfbb1631157e8e0ed226ac6b1e342c32a53261db2656c02c5ec5e4d54bb27
Opcode Fuzzy Hash: fcdacc4a8362a72f717871775c4339c361b00aa55d82c45d43573f11ad3fc477
Instruction Fuzzy Hash: D5D181B5504B408FC360DF38DA8561ABFE0AB56304F048A3ED4DA97792E738A459CB5B

Function 00437CCC Relevance: 1.6, APIs: 1, Instructions: 76
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 00437DA1

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 449fa25e72c0fdf5e36f1a21c55355699d495bc5e021d8156ebeee141ee6c9dd
Instruction ID: f72b181c648b9e41485b42c861cff61790dcc45bb66c4d6a0fcf813ed363230b
Opcode Fuzzy Hash: 449fa25e72c0fdf5e36f1a21c55355699d495bc5e021d8156ebeee141ee6c9dd
Instruction Fuzzy Hash: E721D7B56106019BDB18CF15DCA162A7BE2EF46308F14843DD8565BB56DB30D814CF59

Function 004381B0 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNELBASE(00409320), ref: 004381BB

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d300a1c182c2077e89e7dfe57fd24d42c7cde770933798e25a6fb4481fef4116
Instruction ID: e73da9c1ca550ade86c2df5deef5cf4b8e18f51b4ab0f75cbe256fc059d6447c
Opcode Fuzzy Hash: d300a1c182c2077e89e7dfe57fd24d42c7cde770933798e25a6fb4481fef4116
Instruction Fuzzy Hash: 08A00239404040ABCF117B21FD0950D3B77AB56306B64D079B501A0635CE651C21EE0C

Non-executed Functions

Function 0041E274 Relevance: 19.3, Strings: 15, Instructions: 519COMMON

Download Yara Rule

Strings

RD, xrefs: 0041E962
5!, xrefs: 0041EC7A
3S, xrefs: 0041E957
-Y/_, xrefs: 0041E43F
-#, xrefs: 0041EF4D
}v, xrefs: 0041E713
;), xrefs: 0041EC6F
!U![, xrefs: 0041E434
<, xrefs: 0041E94C
[], xrefs: 0041E96D
bA, xrefs: 0041E259
HI, xrefs: 0041E810
"Q$W, xrefs: 0041E429
{|, xrefs: 0041E708
uAtG, xrefs: 0041EE50

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !U![$"Q$W$-Y/_$3S$5!$;)$HI$RD$[]$bA$uAtG${|$}v$-#$<
API String ID: 0-464808535
Opcode ID: 19b6cb9ab93a02827a646f508cb0c35bb4b58a66424fb1cc1268c136a008f0b2
Instruction ID: 85d251671945215b837daedd315465b10013f942ac52b543377f94dd1d46e813
Opcode Fuzzy Hash: 19b6cb9ab93a02827a646f508cb0c35bb4b58a66424fb1cc1268c136a008f0b2
Instruction Fuzzy Hash: D162C8B4109385CAE3B8CF05E881BDABBE1FB86344F908D2DC5D99B255DB748185CF92

Function 00421288 Relevance: 14.4, Strings: 11, Instructions: 654COMMON

Download Yara Rule

Strings

Vb[0, xrefs: 004212D1
[-V#, xrefs: 004211DB
]f\?, xrefs: 004212D8
Y=23, xrefs: 004211F7
U6>G, xrefs: 004212CA
[-V#, xrefs: 00421112
E!G', xrefs: 00421119
E!G', xrefs: 004211E2
PM* , xrefs: 004212BC
Y=23, xrefs: 0042112E
Q35L, xrefs: 004212C3

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: E!G'$E!G'$PM* $Q35L$U6>G$Vb[0$Y=23$Y=23$[-V#$[-V#$]f\?
API String ID: 0-3456503560
Opcode ID: 997a5ab458e2af8f7fa829c70201f0762908d8f9ebdb0b3d8776a430c062fa53
Instruction ID: 5fd28eec1e695261d059a9cddd2b251c86a75db0370a92879bef33610febb659
Opcode Fuzzy Hash: 997a5ab458e2af8f7fa829c70201f0762908d8f9ebdb0b3d8776a430c062fa53
Instruction Fuzzy Hash: 28327BB5600B418FD324CF29D491713BBE2AF9A304F18896DD49B8BBA1D778F845CB54

Function 0042F61A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042F69C
GetSystemMetrics.USER32 ref: 0042F6AD
DeleteObject.GDI32 ref: 0042F70F
SelectObject.GDI32 ref: 0042F75D
SelectObject.GDI32 ref: 0042F7EB
DeleteObject.GDI32 ref: 0042F822

Strings

, xrefs: 0042F7BE

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 597b8e30144e0e2eceb53b5f22b31e9bd37f884534ba61141307096243fbe6bf
Instruction ID: 215dcb33d68a914d34a3b44855d908f04e9e5e2142284df43b478014995d5bd5
Opcode Fuzzy Hash: 597b8e30144e0e2eceb53b5f22b31e9bd37f884534ba61141307096243fbe6bf
Instruction Fuzzy Hash: EB816AB4A04B00DFC354EF29D585A1ABBF0FF49304F10896DE99ACB761D731A848CB92

Function 004177BA Relevance: 10.8, Strings: 8, Instructions: 780COMMON

Download Yara Rule

Strings

_QPX, xrefs: 00417DF9
GU[C, xrefs: 00417E01
*lpy, xrefs: 00417E31
UW, xrefs: 00417FBE
|oiV, xrefs: 00417E51
q2f`, xrefs: 00417E41
s~`;, xrefs: 00417E49
GFCJ, xrefs: 00417E11

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *lpy$GFCJ$GU[C$_QPX$q2f`$s~`;$|oiV$UW
API String ID: 0-126452777
Opcode ID: 874571777eb0c4d7690a4567f53514362963559b2e34a3bde314e90c543d0463
Instruction ID: 7d47eb114653d1d726cdae475206f5a01ad741cc92355c4efb45072913166f82
Opcode Fuzzy Hash: 874571777eb0c4d7690a4567f53514362963559b2e34a3bde314e90c543d0463
Instruction Fuzzy Hash: 4B428A715083858BC718CF15C4906ABBBF2FFC6358F148A1DE8DA5B381D7789945CB8A

Function 004165D4 Relevance: 9.6, Strings: 7, Instructions: 854COMMON

Download Yara Rule

Strings

tNxk, xrefs: 004165F7
yV, xrefs: 00416607
bjA, xrefs: 00416A4D
}yuf, xrefs: 004165FF
|Fps, xrefs: 004165E7
rjA, xrefs: 00416A62
wxen, xrefs: 00416636

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: bjA$rjA$tNxk$wxen$yV$|Fps$}yuf
API String ID: 0-285463896
Opcode ID: 114e6e5e0264a4ed448d7fc14f2699dd1df45e7b100340791603d64a255ebc76
Instruction ID: 467d824c4601f87a7865333182d839afc619194b9d53572c23a6f25b8a2ccca3
Opcode Fuzzy Hash: 114e6e5e0264a4ed448d7fc14f2699dd1df45e7b100340791603d64a255ebc76
Instruction Fuzzy Hash: AB42CBB56083418FC714DF28C89166BBBE1EF89304F154A2EF8D587391E738D981CB9A

Function 0042EAD0 Relevance: 9.2, APIs: 6, Instructions: 165clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042EB2D
GetWindowLongW.USER32 ref: 0042EB5A
GetClipboardData.USER32 ref: 0042EB6E
CloseClipboard.USER32 ref: 0042EC97

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: 9442ce80d2397ba16d82406eab7ac1b596dc54a01643120e3497832b66bc57ea
Instruction ID: 20b27c47ccb5b13297646b9ad50e959624215d224444b37dcb6cb3dbd70bcec4
Opcode Fuzzy Hash: 9442ce80d2397ba16d82406eab7ac1b596dc54a01643120e3497832b66bc57ea
Instruction Fuzzy Hash: 966190B4504740CFC720DF3AD884616BFF0AF5A320F148A6DE4D68B7A6D734A806CB66

Function 0041CB1E Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 618COMMON

Download Yara Rule

Strings

VZ[, xrefs: 0041CC75
tuCK, xrefs: 0041CC95
uMLJ, xrefs: 0041CC8D

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: VZ[$tuCK$uMLJ
API String ID: 0-3793942351
Opcode ID: d27ae5429ca876241fbf3fc9c8b7ecf51f196858ca90d3e1bbe08051f68e6db9
Instruction ID: f5d49edd8e83901a92a3b06d928d8ebedfe163ecb700b6e81eef2cfcbfe5fc17
Opcode Fuzzy Hash: d27ae5429ca876241fbf3fc9c8b7ecf51f196858ca90d3e1bbe08051f68e6db9
Instruction Fuzzy Hash: 3322CBB5608351DFC314CF28D890B6ABBE1FB8A704F19892DE4C59B390D739E941CB96

Function 004146A5 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 351COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00414B9C
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,?,?), ref: 00414BD0

Strings

fr, xrefs: 004149AC

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: fr
API String ID: 237503144-3430272718
Opcode ID: 1d6a050e95d81dc08db0a155775389eb3c9a044462c37621009ee92df2785378
Instruction ID: d2f90663543e0846a8a64cd2ccecfbfdae6383fe26cdc8fe9979ae81a7c8c18f
Opcode Fuzzy Hash: 1d6a050e95d81dc08db0a155775389eb3c9a044462c37621009ee92df2785378
Instruction Fuzzy Hash: D4D166706193808FD374CF14C484BABB7E5AFC6314F544A2DE4C98B2A1DB39A985CB5B

Function 0041F2E1 Relevance: 4.3, Strings: 3, Instructions: 596COMMON

Download Yara Rule

Strings

_U, xrefs: 0041F740
WU, xrefs: 0041F738
^B, xrefs: 0041F748

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: WU$^B$_U
API String ID: 0-591993885
Opcode ID: cd41040d685ea2c313f7dbb6a2624a2e5f5346267575e1b0956321566fb9f1b4
Instruction ID: 26604fa9a37f978f440af0564f2ee4edb63b4cd241d3f45d3be4518d4252efb5
Opcode Fuzzy Hash: cd41040d685ea2c313f7dbb6a2624a2e5f5346267575e1b0956321566fb9f1b4
Instruction Fuzzy Hash: A612BD75508302CBC314DF18C4906ABB7F2FF95744F64892EE4C997361E739998ACB8A

Function 00420210 Relevance: 4.2, Strings: 3, Instructions: 455COMMON

Download Yara Rule

Strings

xu, xrefs: 00420297
uu, xrefs: 0042028C
kq, xrefs: 004202A2

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: kq$uu$xu
API String ID: 0-535774355
Opcode ID: fc64322a301a5e93c18408ef949b478cc6094cd19f7d47e3e4a47550b6a2373a
Instruction ID: 1c2165c96939e3264217c5fc0a4d2196341c5566413f012fcb623f6ae5d2571e
Opcode Fuzzy Hash: fc64322a301a5e93c18408ef949b478cc6094cd19f7d47e3e4a47550b6a2373a
Instruction Fuzzy Hash: CF0276B46083809FE724DF14E894B2BBBE2FBD5344F54492DE0C59B262D7399851CF86

Function 00413C3A Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

A, xrefs: 00414271
0, xrefs: 00413C59

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: A$0
API String ID: 0-656361183
Opcode ID: 6c73cbdd669adeee578ace77e95927fd4416312482b92dedc921ff671c155627
Instruction ID: e0c997abc26ea5b074cfc10ef48591b167812406c997c3c776c1ceb64f9b5363
Opcode Fuzzy Hash: 6c73cbdd669adeee578ace77e95927fd4416312482b92dedc921ff671c155627
Instruction Fuzzy Hash: E68156B02083808FD335CF14C4947DABBE2ABD6314F18496ED8D98B392DB7A9585CB56

Function 00424BC0 Relevance: 1.8, Strings: 1, Instructions: 561COMMON

Download Yara Rule

Strings

", xrefs: 004250A1

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: adf6ed3e698e2dd5574221ee585976b2ec91fd27fac6ea7a494ecf8a47db6e87
Instruction ID: 86c222965204581046d0eee725827c16c28f66926ab6f1be5d5431f76e2c7699
Opcode Fuzzy Hash: adf6ed3e698e2dd5574221ee585976b2ec91fd27fac6ea7a494ecf8a47db6e87
Instruction Fuzzy Hash: DA020571B083219FD714CE29D88072BB7E5EFC5354F88896EE899C7381E638DD058B96

Function 00426C18 Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

P6D., xrefs: 0042737B

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: P6D.
API String ID: 0-2188168786
Opcode ID: d4aa32c36da15f0e938d6e4ec00f5013e8a4da2126bbdb2f2e17faf83540c73d
Instruction ID: d0591a4521c5945aa649341e4b3688b1c8e6dc550d27dab62784e6145c7dacbc
Opcode Fuzzy Hash: d4aa32c36da15f0e938d6e4ec00f5013e8a4da2126bbdb2f2e17faf83540c73d
Instruction Fuzzy Hash: 08F17B70204B918FD735CF2AC490BA7BBF1AF56304F58496EC4EA8B792D739A449CB14

Function 00426FB0 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

P6D., xrefs: 0042737B

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: P6D.
API String ID: 0-2188168786
Opcode ID: 81445dc25f918b03dae5532813b050ce03539f3b8583c7e5eb569cf7d2ebcef2
Instruction ID: a596d029d974648880208cc2360ea4cb246b11e167ba61bd996dfb6d99741efc
Opcode Fuzzy Hash: 81445dc25f918b03dae5532813b050ce03539f3b8583c7e5eb569cf7d2ebcef2
Instruction Fuzzy Hash: D8D1AD70204B918FD725CF29C490BA7BBF1AF56304F58496EC4EB8B792DB39A449CB14

Function 004138FD Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

x, xrefs: 00413B04

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 00b71554387ea3534e494a4f9f4899544b8668c0752fbe8079921a4fcfff5bfc
Instruction ID: 8fd463b269a7a3957ed6b0a4189cd9e6052444ae2363209e1951705bc26e5c6c
Opcode Fuzzy Hash: 00b71554387ea3534e494a4f9f4899544b8668c0752fbe8079921a4fcfff5bfc
Instruction Fuzzy Hash: 9181A271A083409FC725CF18C484BABB7E5AF86314F04492EF4DA87391D7789A85CB97

Function 00415E0B Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

]A, xrefs: 00415DDA

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ]A
API String ID: 0-3942631043
Opcode ID: 77a47f286c6bcbc44aa191ea336216389c5aa7aaa75078af2d2d6d9255a96ed4
Instruction ID: 88110684d43a2d23bab092def3d20486dfea0ad500bfecadd86f3b2e11d6b500
Opcode Fuzzy Hash: 77a47f286c6bcbc44aa191ea336216389c5aa7aaa75078af2d2d6d9255a96ed4
Instruction Fuzzy Hash: BF71C274500A00CFC728CF28D991A7773B2FF9A314758866DD5868BBA1EB39F851CB94

Function 00422AD1 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

& B, xrefs: 00422B90, 00422C6E

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: & B
API String ID: 0-3470255966
Opcode ID: 3b20ebea1024a802e5d78e1439fc98d15b6c3c5caf8cec883990154cbdbc3c2b
Instruction ID: 97350ce0ab16778797588418698f8ea2a93937be802be3b237760b229504a026
Opcode Fuzzy Hash: 3b20ebea1024a802e5d78e1439fc98d15b6c3c5caf8cec883990154cbdbc3c2b
Instruction Fuzzy Hash: FC419D346082A1EFD7289F04D5A0B2FBBA2FB85344FA4191EE58217751C376A811CF9A

Function 0043857C Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

"@E, xrefs: 004385D8

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "@E
API String ID: 0-843559302
Opcode ID: bff0bf0d1777f859e2dbe93fb29319f1f67baa5c0654329b282fa691da219b1d
Instruction ID: dbb33a83d536ebf5fa0ea25f45846df316eb77a4a33f4542893643f65e6850a9
Opcode Fuzzy Hash: bff0bf0d1777f859e2dbe93fb29319f1f67baa5c0654329b282fa691da219b1d
Instruction Fuzzy Hash: 7501FB34254140CBDB29CF19C5E1A25F7E1EF5A308F18A85DD5868B396D739A845CB88

Function 0041C530 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab62303539955bd95230b7125987844e4bfd44cd9b6a0d4408a5446568b9d93f
Instruction ID: 87bb4e0cd7287ba6e13664a6a389a294ff2a99fd859947e59b2ce07af86d3d55
Opcode Fuzzy Hash: ab62303539955bd95230b7125987844e4bfd44cd9b6a0d4408a5446568b9d93f
Instruction Fuzzy Hash: 48A1BFB1A443119BCB209F14CCD1BABB3E1EF95354F18491EE89657391E378DD80CB9A

Function 0041FE30 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb11e1f1a5072700c971984d345dc6ce7588a8c06ee241612960d902c317378
Instruction ID: 578618304e1e6edbbc53f92c97c895c0cb153a14734f1648a83d3c7b86a6326e
Opcode Fuzzy Hash: 7fb11e1f1a5072700c971984d345dc6ce7588a8c06ee241612960d902c317378
Instruction Fuzzy Hash: 38919AB11083409BD314CF18C891A6BBBF1FF85358F154A1DE4C98B391E779D94ACB8A

Function 00437740 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7445ada3c4e85ce49fc40c125633498c91604dbe3399542091493906c0f33ae3
Instruction ID: 92a2e04ee97317fe24bda433d9ac0bdbb073839fc6768deef82f97a72007f9cd
Opcode Fuzzy Hash: 7445ada3c4e85ce49fc40c125633498c91604dbe3399542091493906c0f33ae3
Instruction Fuzzy Hash: 1C81F7B460C3528FD725CF18C49062AFBE1AFC9314F18966EE4D58B352D235E806CB56

Function 004275B6 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad08ab66fa3dd150af01fdd681d9423cf8bdebc7d25c60bebb7bd4e8b55ebf1
Instruction ID: 6946e0d6b54ad114bc8b2b978a00d4ec1e7363f26eff0d187c7a2d407db216d2
Opcode Fuzzy Hash: 2ad08ab66fa3dd150af01fdd681d9423cf8bdebc7d25c60bebb7bd4e8b55ebf1
Instruction Fuzzy Hash: 53518534204B418BD329CF29D4A0BB7BBE2EF89315F68496DD49B87B51DB34B845CB44

Function 004159F0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158d479c5145a9205d3ab65a921b8e9941c99e51dc791a90f1cd797b62414836
Instruction ID: 2b1af8b6834acfc50a8f724011b5b50dbd716ff745917a8f4dd016b095905ad2
Opcode Fuzzy Hash: 158d479c5145a9205d3ab65a921b8e9941c99e51dc791a90f1cd797b62414836
Instruction Fuzzy Hash: CD41277194C708CBC3209F54C8C07E7B7E8EFD6354F09462AE88947381E7B99980C79A

Function 00415E18 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d013eb53bfa8aafb41391ec4766f743eec051038b523a3d4f15b619ad4889d3
Instruction ID: af474f354511f4eb8c5214fce8331daca1a7d88c9d6d71eacc042523f230b064
Opcode Fuzzy Hash: 6d013eb53bfa8aafb41391ec4766f743eec051038b523a3d4f15b619ad4889d3
Instruction Fuzzy Hash: 43318BB0900700DFC724CF19C852AA3BBF5FF5A360B19865DE88ACB390E375A941CB95

Function 0041FA7A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f5af266e939ccce1b7378ddab4054c1fbbc1fd21743718fbba20083b2f9bed
Instruction ID: 2f9739cf8b79e149764de2ad18d33ae431cab02926e09e965eece9fdffe7164c
Opcode Fuzzy Hash: d1f5af266e939ccce1b7378ddab4054c1fbbc1fd21743718fbba20083b2f9bed
Instruction Fuzzy Hash: EE212C345083808BC778CB04D8A07ABB3A2FBC5354F94C56DC4CE17651DF356C8A8B8A

Function 00424920 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011eccb829c0754c369a0d0c911fda4cddf60cc09be4ea519ee264c3a8b7ecd4
Instruction ID: 4e929b51ca137bdeabe6b5274e57f178a5ddffb459a8f9238e4324ec68506a5e
Opcode Fuzzy Hash: 011eccb829c0754c369a0d0c911fda4cddf60cc09be4ea519ee264c3a8b7ecd4
Instruction Fuzzy Hash: 7C01B1F170071147DB20AE65F4C073BB2A8EFD5708F58053EE9485B382EB79EC458A99

Function 00410B28 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f7683796af6ba6e4e403cbac95914115f46536e04e9b4791853cf417276b5d
Instruction ID: 9474c11c63e4d2ac21a9f32532a12f03ab210f81b7c5d710ed0768dcb451daef
Opcode Fuzzy Hash: 88f7683796af6ba6e4e403cbac95914115f46536e04e9b4791853cf417276b5d
Instruction Fuzzy Hash: CC21AF72A093808FD374CF20C8897DBB7E2ABC6314F14492EE48A97751DF789582CB46

Function 00403630 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d025f8d1106fa3073235a06081f30e5e6d35d93d253bf2a8f007ec5545cb8a71
Instruction ID: 20969ee6c65fe4576e9b7c11e1bb499825f71a37cacde963a22b7668a6501342
Opcode Fuzzy Hash: d025f8d1106fa3073235a06081f30e5e6d35d93d253bf2a8f007ec5545cb8a71
Instruction Fuzzy Hash: B7F0BB367192151BA630DD76A8C0427F75AD7CD215B19563DE941A3341C537E9018299

Function 00416556 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87c7ed7364d5c5be00f2a35e118e659a701458e691d9056c0835880681633d0
Instruction ID: 16e159206387e55a572d68b23afad9c383aa2147fea4fc9411d26a5a5340caac
Opcode Fuzzy Hash: c87c7ed7364d5c5be00f2a35e118e659a701458e691d9056c0835880681633d0
Instruction Fuzzy Hash: FAE0CD79C01411DFD6726F117E0375A7224EB5330CF012035FA8462152DA759616C7CF

Function 0042B0B2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8df43ff04dc8b3d70e051d8ccd9e6fde491254f7107998c7e9f0249ef5b9721
Instruction ID: 9c759e773bd463f077edaee26e908758f1732f927fa58ccd1a665bdfc78d1019
Opcode Fuzzy Hash: c8df43ff04dc8b3d70e051d8ccd9e6fde491254f7107998c7e9f0249ef5b9721
Instruction Fuzzy Hash: F6F058B8508341CFD720DF24C51478BFBE0BBC8318F01892ED88997391DBB8A8488F82

Function 0040CEC0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: b258b08327b2475435291265ee57a1677d6f08efe037edb6cda992b35cca9733
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 81D0A7615487A54E9758CE3884E047BFBE9E987652F1815AFE4D2F3245D234DC0146DC

Function 00425F08 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775e801aa4d1235640d8704acf4e3793971ff74856f1d1a31868e556823b1718
Instruction ID: 06ae55dbfde411660cdba928c6b3c9a89f32669e46d701800c5fed9fa027d894
Opcode Fuzzy Hash: 775e801aa4d1235640d8704acf4e3793971ff74856f1d1a31868e556823b1718
Instruction Fuzzy Hash: E0C012386440828AC304CF38D885B22FBA0AB9B200B10252AC482E3291C360D8168A0C

Function 00439899 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624a8a517524d297ebcb97e7b2dea9ab5ed274ddd15cd338aeed38ef3d31587c
Instruction ID: 0eb8f653568e1cb150bc590d41ed214eddbb83f20fc0137d47c3ed099ebd2df5
Opcode Fuzzy Hash: 624a8a517524d297ebcb97e7b2dea9ab5ed274ddd15cd338aeed38ef3d31587c
Instruction Fuzzy Hash: 36B09278AAC10187D608CF04E852536B338A307204B00342A8113F3652C650E602CA0C

Function 00423160 Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 428COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042325A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042328A

Strings

_)M/, xrefs: 00423358
b%K+, xrefs: 004233CE
_-Z3, xrefs: 00423360
Q5F;, xrefs: 00423370
]9N?, xrefs: 00423378
z5B, xrefs: 00423574
A=<C, xrefs: 00423380
V1u7, xrefs: 00423368

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: A=<C$Q5F;$V1u7$]9N?$_)M/$_-Z3$b%K+$z5B
API String ID: 237503144-9369427
Opcode ID: a963405a74f5af1b60c063329d792d429d764d63d498300577dbc332c42219dd
Instruction ID: 6c25a6aea91cc028f66e97bb300721ebc9fdf4a9df31a65af47228b30aa1f588
Opcode Fuzzy Hash: a963405a74f5af1b60c063329d792d429d764d63d498300577dbc332c42219dd
Instruction Fuzzy Hash: FEF189706083518BD734CF14C890B9BB7E1FFC6318F14892DE8999B391DB789949CB86

Function 0042FC6E Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042FD0D
GetSystemMetrics.USER32 ref: 0042FD1E
DeleteObject.GDI32 ref: 0042FD86
SelectObject.GDI32 ref: 0042FDE0
SelectObject.GDI32 ref: 0042FE6E
DeleteObject.GDI32 ref: 0042FEAB

Strings

, xrefs: 0042FE3B

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 1605eace1faa76802830f269757faa115ef100bcd827436c2b41e4d5f58b5c70
Instruction ID: c40496c8a484868a2327d7f54dc2d7edf9c34fca813400c8b045d7ec2e198c16
Opcode Fuzzy Hash: 1605eace1faa76802830f269757faa115ef100bcd827436c2b41e4d5f58b5c70
Instruction Fuzzy Hash: D0914CB4615B009FC364EF28D991A16BBF0FB49700F108A6DE89AC7760D731B849CF96

Function 00416020 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 255COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041605A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00416088

Strings

mbA, xrefs: 00416267
2cA, xrefs: 0041632C, 0041670E

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2cA$mbA
API String ID: 237503144-1881964337
Opcode ID: 3ac4021c3b304e15311e697455f3890b0cc16a5055b9ccaa249406f6e546627b
Instruction ID: b7f3bb75b84548121afdad034296d64894c6c64753ceb7b3df10d445bd4aead1
Opcode Fuzzy Hash: 3ac4021c3b304e15311e697455f3890b0cc16a5055b9ccaa249406f6e546627b
Instruction Fuzzy Hash: E281CB746083409BD324DF14C891BABB7E5FF86304F004A2EF9A65B381D778E941CB9A

Function 0041DEA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0041DFCB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0041DFFA

Strings

M3, xrefs: 0041E09E, 0041E0A2
I}, xrefs: 0041DF1F

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: I}$M3
API String ID: 237503144-3697166928
Opcode ID: 31a75f8d1e6469b78e716ba028577c81f064eeb2942d06f8d0adcf80bfbe9018
Instruction ID: ec9b90382bb7ead40b53adb9eb2f2c858f9463fc7d762bbc74e40cbc7989eaf1
Opcode Fuzzy Hash: 31a75f8d1e6469b78e716ba028577c81f064eeb2942d06f8d0adcf80bfbe9018
Instruction Fuzzy Hash: D75174B5508341AFD314CF05C980B5BBBE1ABC6798F148A2DF8E98B281D778D945CB86

Function 00426479 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 452COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00426594

Strings

1>7m, xrefs: 004266FF
#<<=, xrefs: 004266F5

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID: #<<=$1>7m
API String ID: 3664257935-2836878564
Opcode ID: 73d4e8fbbd3f4895bcfb2218b51f07f7290b50547b71166f37177a2e894aa29f
Instruction ID: 46ffd743c2d5f18cae89b939e5a4606d1ec7a32bf8cd79bd14c2559badb1df61
Opcode Fuzzy Hash: 73d4e8fbbd3f4895bcfb2218b51f07f7290b50547b71166f37177a2e894aa29f
Instruction Fuzzy Hash: 7BF19D70244F928ED325CF38C890BE7BBE1AF52309F48486ED4EA97282D7796549CF54

Function 00422030 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042238A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004223B5

Strings

rv, xrefs: 004222C4

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: rv
API String ID: 237503144-1192486884
Opcode ID: 61f5135b817b3f4c21feb52014c1508f77880dd09578de0e4621473b5797ba22
Instruction ID: 6d77fcc0a91432310f68b07f5124296895fc3133316a91327832852efa189109
Opcode Fuzzy Hash: 61f5135b817b3f4c21feb52014c1508f77880dd09578de0e4621473b5797ba22
Instruction Fuzzy Hash: 6F51A7B4608341AFE320CF24D980B5ABBE5EFC5748F104A2DFAD55B391CBB49901CB96

Function 00422224 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042238A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004223B5

Strings

rv, xrefs: 004222C4

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: rv
API String ID: 237503144-1192486884
Opcode ID: db5fc486bf25cce9f9300e247e65b815125ead8ed2000b91c1b903857374ce2f
Instruction ID: 58f3cc8b1fa40384d476b545bd10d231c1409be3ce6ecbf456986f598687cb40
Opcode Fuzzy Hash: db5fc486bf25cce9f9300e247e65b815125ead8ed2000b91c1b903857374ce2f
Instruction Fuzzy Hash: 7651A7B4608341AFE720CF24D940B5ABBE5EFC5748F104A2DFAD55B391CBB49801CB96

Function 00412725 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000006,?,00000200,?), ref: 0041281A

Strings

21, xrefs: 00412743
~-G3, xrefs: 00412738

Memory Dump Source

Source File: 00000001.00000002.1660870354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 21$~-G3
API String ID: 237503144-3798633473
Opcode ID: 27eaee2bc581c9b7e85decfa4d0b84888851f2f295c7832c70fea0a894c45223
Instruction ID: a50e971d16cb0bb45665c54bad1e550bbef6a266b1fa2ac380cdc832f9aa0fcf
Opcode Fuzzy Hash: 27eaee2bc581c9b7e85decfa4d0b84888851f2f295c7832c70fea0a894c45223
Instruction Fuzzy Hash: D13169702083808BD334CF14C985B9BB3E5FF85344F04882DE48ACB291DBB49946CB56

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1Gvue8ItW8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1Gvue8ItW8.exe_7bc3b5b58e175b56deb741256a6753d5c1f43_7ae6c50f_5aa95db8-f190-41a7-b596-b18fc1c3b665\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE817.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE866.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8B5.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
1Gvue8ItW8.exe

Function 009D018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 00BAEC8D Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Function 00B98E80 Relevance: 4.5, APIs: 3, Instructions: 16
synchronizationthreadCOMMON

Function 00BB0118 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 00B99470 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 124
memoryCOMMON

Function 00BAA7FB Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Function 00BA9C4C Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00BAFD1C Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Function 00BA9BEF Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE