Edit tour

Windows Analysis Report
LisectAVT_2403002A_96.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_96.exe
Analysis ID:	1482133
MD5:	9256cf8bc71250fd9c9692477c308668
SHA1:	d10d2a348bf3e76c728da35161307bc8872174f3
SHA256:	7adf609b3d22801ddddc39747ef6344a17129f7159318962bcc67247be048ef2
Tags:	exeLummaStealer
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_96.exe (PID: 6832 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_96.exe" MD5: 9256CF8BC71250FD9C9692477C308668)

conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "sailsystemeyeusjw.shop"], "Build id": "1AsNN2--babah2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T18:31:10.122811+0200
SID:	2050996
Source Port:	63712
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T18:31:10.135830+0200
SID:	2051473
Source Port:	50769
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T18:31:10.150003+0200
SID:	2050953
Source Port:	53889
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T18:31:10.109180+0200
SID:	2051584
Source Port:	65215
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T18:31:10.073532+0200
SID:	2051586
Source Port:	51633
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sailsystemeyeusjw .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T18:31:10.009762+0200
SID:	2051898
Source Port:	57630
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T18:31:10.160891+0200
SID:	2050956
Source Port:	55815
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T18:31:10.093286+0200
SID:	2051587
Source Port:	60941
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T18:31:10.177747+0200
SID:	2050952
Source Port:	64380
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_96.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://associationokeo.shop//i	Avira URL Cloud: Label: malware
Source: https://turkeyunlikelyofw.shop/api	Avira URL Cloud: Label: malware
Source: https://detectordiscusser.shop/	Avira URL Cloud: Label: malware
Source: associationokeo.shop	Avira URL Cloud: Label: malware
Source: colorfulequalugliess.shop	Avira URL Cloud: Label: phishing
Source: https://associationokeo.shop/api	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop//	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/	Avira URL Cloud: Label: malware
Source: detectordiscusser.shop	Avira URL Cloud: Label: malware
Source: relevantvoicelesskw.shop	Avira URL Cloud: Label: phishing
Source: turkeyunlikelyofw.shop	Avira URL Cloud: Label: malware
Source: https://turkeyunlikelyofw.shop/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "sailsystemeyeusjw.shop"], "Build id": "1AsNN2--babah2"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_96.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: associationokeo.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: turkeyunlikelyofw.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pooreveningfuseor.pw
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: edurestunningcrackyow.fun
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: detectordiscusser.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: relevantvoicelesskw.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: colorfulequalugliess.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wisemassiveharmonious.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sailsystemeyeusjw.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 1AsNN2--babah2

Source: LisectAVT_2403002A_96.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: LisectAVT_2403002A_96.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Casis.pdb source: LisectAVT_2403002A_96.exe
Source:	Binary string: Casis.pdbx source: LisectAVT_2403002A_96.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	3_2_00432156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [esi+ecx]	3_2_0040D1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]	3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then test esi, esi	3_2_004352C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	3_2_004212E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	3_2_00433458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	3_2_0041541A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_00434489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	3_2_004095E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	3_2_004105BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	3_2_0041561D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0042D620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]	3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]	3_2_0041D860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000A8h]	3_2_00414810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	3_2_0041390E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_004119E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	3_2_0040FA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	3_2_0040FA7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [0043DC58h]	3_2_0041CB43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	3_2_00407B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	3_2_0041CB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi+0Ch]	3_2_0041FB8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	3_2_00432C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]	3_2_00420D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	3_2_00410E43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	3_2_00434FB2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: associationokeo.shop
Source: Malware configuration extractor	URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor	URLs: pooreveningfuseor.pw
Source: Malware configuration extractor	URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor	URLs: detectordiscusser.shop
Source: Malware configuration extractor	URLs: relevantvoicelesskw.shop
Source: Malware configuration extractor	URLs: colorfulequalugliess.shop
Source: Malware configuration extractor	URLs: wisemassiveharmonious.shop
Source: Malware configuration extractor	URLs: sailsystemeyeusjw.shop

Source: unknown	DNS traffic detected: query: wisemassiveharmonious.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sailsystemeyeusjw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: turkeyunlikelyofw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: associationokeo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: relevantvoicelesskw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: detectordiscusser.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: colorfulequalugliess.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edurestunningcrackyow.fun replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: sailsystemeyeusjw.shop
Source: global traffic	DNS traffic detected: DNS query: wisemassiveharmonious.shop
Source: global traffic	DNS traffic detected: DNS query: colorfulequalugliess.shop
Source: global traffic	DNS traffic detected: DNS query: relevantvoicelesskw.shop
Source: global traffic	DNS traffic detected: DNS query: detectordiscusser.shop
Source: global traffic	DNS traffic detected: DNS query: edurestunningcrackyow.fun
Source: global traffic	DNS traffic detected: DNS query: pooreveningfuseor.pw
Source: global traffic	DNS traffic detected: DNS query: turkeyunlikelyofw.shop
Source: global traffic	DNS traffic detected: DNS query: associationokeo.shop

Source: RegAsm.exe, 00000003.00000002.1651767284.0000000001522000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop//
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop//i
Source: RegAsm.exe, 00000003.00000002.1651681626.00000000014F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/api
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw//
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sailsystemeyeusjw.shop/
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sailsystemeyeusjw.shop/.
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/
Source: RegAsm.exe, 00000003.00000002.1651681626.00000000014F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/api

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0042AC90 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_0042AC90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0042AC90 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_0042AC90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0042AE40 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

3_2_0042AE40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414280 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00414280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435440 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00435440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004324B2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004324B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004327F1 NtMapViewOfSection,	3_2_004327F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004327AF NtOpenSection,	3_2_004327AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043286A NtClose,	3_2_0043286A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432987 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00432987
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436060 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00436060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004220C1 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004220C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419080 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00419080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F1E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0042F1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00412277 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00412277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431220 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00431220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417305 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00417305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436400 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00436400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041541A NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041541A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416492 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00416492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004314A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C5F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435640 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00435640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431600 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00431600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041960A NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041960A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004156F7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004156F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004146B7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004146B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A762 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041A762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C765 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041C765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00412700 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00412700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431710 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00431710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004367D0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004367D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416790 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00416790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431840 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00431840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D860 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041D860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435810 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00435810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A880 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435940 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00435940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00431950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435AB0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00435AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435BD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00435BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419C41 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00419C41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432C52 NtFreeVirtualMemory,	3_2_00432C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417C59 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00417C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435D40 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00435D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414D10 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00414D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041EDB2 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041EDB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418E50 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00418E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CF46 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041CF46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00420F04 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00420F04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00430F80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00430F80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436060	3_2_00436060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401000	3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403240	3_2_00403240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00405274	3_2_00405274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00423216	3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004212E2	3_2_004212E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F3FD	3_2_0041F3FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422382	3_2_00422382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436400	3_2_00436400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00404640	3_2_00404640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041960A	3_2_0041960A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00423216	3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401700	3_2_00401700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D860	3_2_0041D860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00413A27	3_2_00413A27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417A8C	3_2_00417A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407B20	3_2_00407B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419C41	3_2_00419C41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403C60	3_2_00403C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00426D8E	3_2_00426D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FDB0	3_2_0040FDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402E70	3_2_00402E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CF46	3_2_0041CF46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00412F77	3_2_00412F77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00420F04	3_2_00420F04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00405F30	3_2_00405F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042EF80	3_2_0042EF80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040FF60 appears 154 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408560 appears 44 times

Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1649094618.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_96.exe
Source: LisectAVT_2403002A_96.exe, 00000000.00000000.1646583317.00000000007A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCasis.exe8 vs LisectAVT_2403002A_96.exe
Source: LisectAVT_2403002A_96.exe	Binary or memory string: OriginalFilenameCasis.exe8 vs LisectAVT_2403002A_96.exe

Source: LisectAVT_2403002A_96.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: LisectAVT_2403002A_96.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/1@9/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00428009 CoCreateInstance,

3_2_00428009

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_96.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03

Source: LisectAVT_2403002A_96.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LisectAVT_2403002A_96.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe "C:\Users\user\Desktop\LisectAVT_2403002A_96.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior

Source: LisectAVT_2403002A_96.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LisectAVT_2403002A_96.exe

Static file information: File size 4066498 > 1048576

Source: LisectAVT_2403002A_96.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: LisectAVT_2403002A_96.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Casis.pdb source: LisectAVT_2403002A_96.exe
Source:	Binary string: Casis.pdbx source: LisectAVT_2403002A_96.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043B016 push 980044CBh; retf 0044h	3_2_0043B021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043AF42 push esp; retf 0044h	3_2_0043AF95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043AF7C push esp; retf 0044h	3_2_0043AF95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043AFF2 push esp; retf 0044h	3_2_0043AF95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043AFF2 push 680044CBh; retf	3_2_0043B015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043AFA9 push 680044CBh; retf	3_2_0043B015

Source: LisectAVT_2403002A_96.exe

Static PE information: section name: .text entropy: 7.946120539555088

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe TID: 6936	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5676	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5676	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe

Code function: 0_2_02AD5429 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_02AD5429

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: associationokeo.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: turkeyunlikelyofw.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pooreveningfuseor.pw
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: edurestunningcrackyow.fun
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: detectordiscusser.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: relevantvoicelesskw.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: colorfulequalugliess.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wisemassiveharmonious.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sailsystemeyeusjw.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 437000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 445000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1091008	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe

Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe VolumeInformation

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_96.exe	100%	Avira	TR/AD.Nekark.uxhtt
LisectAVT_2403002A_96.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://sailsystemeyeusjw.shop/	0%	Avira URL Cloud	safe
pooreveningfuseor.pw	0%	Avira URL Cloud	safe
https://sailsystemeyeusjw.shop/.	0%	Avira URL Cloud	safe
edurestunningcrackyow.fun	0%	Avira URL Cloud	safe
https://associationokeo.shop//i	100%	Avira URL Cloud	malware
https://turkeyunlikelyofw.shop/api	100%	Avira URL Cloud	malware
https://detectordiscusser.shop/	100%	Avira URL Cloud	malware
associationokeo.shop	100%	Avira URL Cloud	malware
colorfulequalugliess.shop	100%	Avira URL Cloud	phishing
https://associationokeo.shop/api	100%	Avira URL Cloud	malware
https://associationokeo.shop//	100%	Avira URL Cloud	malware
https://associationokeo.shop/	100%	Avira URL Cloud	malware
detectordiscusser.shop	100%	Avira URL Cloud	malware
relevantvoicelesskw.shop	100%	Avira URL Cloud	phishing
sailsystemeyeusjw.shop	0%	Avira URL Cloud	safe
turkeyunlikelyofw.shop	100%	Avira URL Cloud	malware
wisemassiveharmonious.shop	0%	Avira URL Cloud	safe
https://turkeyunlikelyofw.shop/	100%	Avira URL Cloud	malware
https://pooreveningfuseor.pw/	0%	Avira URL Cloud	safe
https://pooreveningfuseor.pw//	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
edurestunningcrackyow.fun	unknown	unknown	true	unknown
turkeyunlikelyofw.shop	unknown	unknown	true	unknown
detectordiscusser.shop	unknown	unknown	true	unknown
relevantvoicelesskw.shop	unknown	unknown	true	unknown
pooreveningfuseor.pw	unknown	unknown	true	unknown
wisemassiveharmonious.shop	unknown	unknown	true	unknown
associationokeo.shop	unknown	unknown	true	unknown
sailsystemeyeusjw.shop	unknown	unknown	true	unknown
colorfulequalugliess.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
edurestunningcrackyow.fun	true	Avira URL Cloud: safe	unknown
pooreveningfuseor.pw	true	Avira URL Cloud: safe	unknown
associationokeo.shop	true	Avira URL Cloud: malware	unknown
colorfulequalugliess.shop	true	Avira URL Cloud: phishing	unknown
turkeyunlikelyofw.shop	true	Avira URL Cloud: malware	unknown
detectordiscusser.shop	true	Avira URL Cloud: malware	unknown
relevantvoicelesskw.shop	true	Avira URL Cloud: phishing	unknown
wisemassiveharmonious.shop	true	Avira URL Cloud: safe	unknown
sailsystemeyeusjw.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sailsystemeyeusjw.shop/	RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://associationokeo.shop/api	RegAsm.exe, 00000003.00000002.1651681626.00000000014F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sailsystemeyeusjw.shop/.	RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://turkeyunlikelyofw.shop/api	RegAsm.exe, 00000003.00000002.1651681626.00000000014F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://associationokeo.shop//i	RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://detectordiscusser.shop/	RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://turkeyunlikelyofw.shop/	RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://associationokeo.shop//	RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://associationokeo.shop/	RegAsm.exe, 00000003.00000002.1651767284.0000000001522000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pooreveningfuseor.pw/	RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pooreveningfuseor.pw//	RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482133
Start date and time:	2024-07-25 18:30:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_96.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/1@9/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 31 Number of non-executed functions: 83
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: LisectAVT_2403002A_96.exe

Simulations

Behavior and APIs

Time	Type	Description
12:31:08	API Interceptor	2x Sleep call for process: RegAsm.exe modified

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_96.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.999091412536057
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	LisectAVT_2403002A_96.exe
File size:	4'066'498 bytes
MD5:	9256cf8bc71250fd9c9692477c308668
SHA1:	d10d2a348bf3e76c728da35161307bc8872174f3
SHA256:	7adf609b3d22801ddddc39747ef6344a17129f7159318962bcc67247be048ef2
SHA512:	19a4f16d81e81f02cff730b9f3053c49413b55953b8f96aa6fe3347ffff5c68807c51b9b08405c22ca783864ad1c1ca9996d138f85fe56b3a9c30eb7d7cd249c
SSDEEP:	98304:WbzczBM9Czp5+Yq501qQQS4pJ+02Ww/GJcBYX8QbvxLptP6FbKEq:Wb4zjzKY/F4pJ2KJcBYsmxL76FbKEq
TLSH:	1816338EB86362B0E715273B8C1F66DA03F5030DBE23A1CB5AE152F95743B3E9580567
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45029e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6600948B [Sun Mar 24 21:00:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x50250	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x534	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x50204	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4e2a4	0x4e400	7f6ab5e02a082cdb20bfd0f49fc66c47	False	0.952856679313099	data	7.946120539555088	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x534	0x600	29a63f26f37222e40ab7f51e7effae08	False	0.40234375	data	3.9185262150899947	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54000	0xc	0x200	a297d094f38e0b551988a203abf44e97	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x520a0	0x2a8	data			0.4661764705882353
RT_MANIFEST	0x52348	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T18:31:10.122811+0200	UDP	2050996	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop)	63712	53	192.168.2.4	1.1.1.1
2024-07-25T18:31:10.135830+0200	UDP	2051473	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun)	50769	53	192.168.2.4	1.1.1.1
2024-07-25T18:31:10.150003+0200	UDP	2050953	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw)	53889	53	192.168.2.4	1.1.1.1
2024-07-25T18:31:10.109180+0200	UDP	2051584	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop)	65215	53	192.168.2.4	1.1.1.1
2024-07-25T18:31:10.073532+0200	UDP	2051586	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop)	51633	53	192.168.2.4	1.1.1.1
2024-07-25T18:31:10.009762+0200	UDP	2051898	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sailsystemeyeusjw .shop)	57630	53	192.168.2.4	1.1.1.1
2024-07-25T18:31:10.160891+0200	UDP	2050956	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop)	55815	53	192.168.2.4	1.1.1.1
2024-07-25T18:31:10.093286+0200	UDP	2051587	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop)	60941	53	192.168.2.4	1.1.1.1
2024-07-25T18:31:10.177747+0200	UDP	2050952	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop)	64380	53	192.168.2.4	1.1.1.1

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 18:31:10.009762049 CEST	57630	53	192.168.2.4	1.1.1.1
Jul 25, 2024 18:31:10.061292887 CEST	53	57630	1.1.1.1	192.168.2.4
Jul 25, 2024 18:31:10.073532104 CEST	51633	53	192.168.2.4	1.1.1.1
Jul 25, 2024 18:31:10.090089083 CEST	53	51633	1.1.1.1	192.168.2.4
Jul 25, 2024 18:31:10.093286037 CEST	60941	53	192.168.2.4	1.1.1.1
Jul 25, 2024 18:31:10.107244968 CEST	53	60941	1.1.1.1	192.168.2.4
Jul 25, 2024 18:31:10.109179974 CEST	65215	53	192.168.2.4	1.1.1.1
Jul 25, 2024 18:31:10.119343996 CEST	53	65215	1.1.1.1	192.168.2.4
Jul 25, 2024 18:31:10.122811079 CEST	63712	53	192.168.2.4	1.1.1.1
Jul 25, 2024 18:31:10.130491018 CEST	53	63712	1.1.1.1	192.168.2.4
Jul 25, 2024 18:31:10.135829926 CEST	50769	53	192.168.2.4	1.1.1.1
Jul 25, 2024 18:31:10.146205902 CEST	53	50769	1.1.1.1	192.168.2.4
Jul 25, 2024 18:31:10.150002956 CEST	53889	53	192.168.2.4	1.1.1.1
Jul 25, 2024 18:31:10.157958031 CEST	53	53889	1.1.1.1	192.168.2.4
Jul 25, 2024 18:31:10.160891056 CEST	55815	53	192.168.2.4	1.1.1.1
Jul 25, 2024 18:31:10.174453020 CEST	53	55815	1.1.1.1	192.168.2.4
Jul 25, 2024 18:31:10.177747011 CEST	64380	53	192.168.2.4	1.1.1.1
Jul 25, 2024 18:31:10.186146975 CEST	53	64380	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 18:31:10.009762049 CEST	192.168.2.4	1.1.1.1	0xd8cc	Standard query (0)	sailsystemeyeusjw.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.073532104 CEST	192.168.2.4	1.1.1.1	0x5226	Standard query (0)	wisemassiveharmonious.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.093286037 CEST	192.168.2.4	1.1.1.1	0x9a1e	Standard query (0)	colorfulequalugliess.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.109179974 CEST	192.168.2.4	1.1.1.1	0xfdd3	Standard query (0)	relevantvoicelesskw.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.122811079 CEST	192.168.2.4	1.1.1.1	0x79ff	Standard query (0)	detectordiscusser.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.135829926 CEST	192.168.2.4	1.1.1.1	0xe6f7	Standard query (0)	edurestunningcrackyow.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.150002956 CEST	192.168.2.4	1.1.1.1	0x6f27	Standard query (0)	pooreveningfuseor.pw	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.160891056 CEST	192.168.2.4	1.1.1.1	0x7d69	Standard query (0)	turkeyunlikelyofw.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.177747011 CEST	192.168.2.4	1.1.1.1	0x2909	Standard query (0)	associationokeo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 18:31:10.061292887 CEST	1.1.1.1	192.168.2.4	0xd8cc	Name error (3)	sailsystemeyeusjw.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.090089083 CEST	1.1.1.1	192.168.2.4	0x5226	Name error (3)	wisemassiveharmonious.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.107244968 CEST	1.1.1.1	192.168.2.4	0x9a1e	Name error (3)	colorfulequalugliess.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.119343996 CEST	1.1.1.1	192.168.2.4	0xfdd3	Name error (3)	relevantvoicelesskw.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.130491018 CEST	1.1.1.1	192.168.2.4	0x79ff	Name error (3)	detectordiscusser.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.146205902 CEST	1.1.1.1	192.168.2.4	0xe6f7	Name error (3)	edurestunningcrackyow.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.174453020 CEST	1.1.1.1	192.168.2.4	0x7d69	Name error (3)	turkeyunlikelyofw.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 18:31:10.186146975 CEST	1.1.1.1	192.168.2.4	0x2909	Name error (3)	associationokeo.shop	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:31:08
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_96.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_96.exe"
Imagebase:	0x750000
File size:	4'066'498 bytes
MD5 hash:	9256CF8BC71250FD9C9692477C308668
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:31:08
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:31:08
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x330000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:31:08
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xea0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	47.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.3%
Total number of Nodes:	246
Total number of Limit Nodes:	9

Executed Functions

Function 02AD5429 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02AD5598
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02AD55AB
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02AD55C9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02AD55ED
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02AD5618
TerminateProcess.KERNELBASE(?,00000000), ref: 02AD5637
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 02AD5670
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02AD56BB
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02AD56F9
Wow64SetThreadContext.KERNEL32(?,?), ref: 02AD5735
ResumeThread.KERNELBASE(?), ref: 02AD5744

Strings

Load, xrefs: 02AD5467
ress, xrefs: 02AD54B3
GetP, xrefs: 02AD54AB
aryA, xrefs: 02AD546F

Memory Dump Source

Source File: 00000000.00000002.1649780351.0000000002AD5000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad5000_LisectAVT_2403002A_96.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: GetP$Load$aryA$ress
API String ID: 2440066154-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 843e0f81d48333b3825a899e3699ba731a48d375cfa3f71e783ddbf305a4cdac
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 67B1E47664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA41CB94

Function 01062B36 Relevance: 1.7, APIs: 1, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 01063018

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9e3fb1075ef4c74a97170dbce479fac478de37d1519dbd362ca25c5b55ca1272
Instruction ID: d421b608b89b6bacce93d965e188f76bf505c662bd0d7154dd7321ce0eb17eab
Opcode Fuzzy Hash: 9e3fb1075ef4c74a97170dbce479fac478de37d1519dbd362ca25c5b55ca1272
Instruction Fuzzy Hash: B861D0709053598FCB51CF79C8445AABBF4FF49320F25856EE4C89B241D3389E51CBA0

Function 01062838 Relevance: 1.7, APIs: 1, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be4f49f6fae6166bcc34cc75d612bedd1ac8e489fbe4e85d5a05dfae800acd0
Instruction ID: 082f0db50f813e5b6da94ab14cc985829ccf2e89292fb8bcc90d6b532c3d482e
Opcode Fuzzy Hash: 2be4f49f6fae6166bcc34cc75d612bedd1ac8e489fbe4e85d5a05dfae800acd0
Instruction Fuzzy Hash: 5761EE70805349DFCB51CF79C844AAABBF5FF49320F25856EE4C8AA241D7389A51CBA0

Function 0106291A Relevance: 1.7, APIs: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 01063018

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bd5051c46afa106a96d209d71ca969bd54bab39dd1628ba7bdd96459cfad286a
Instruction ID: 64c516e34f111370a2970908a9c634c50f1f76d7be1972618de0fa98e1a02fd0
Opcode Fuzzy Hash: bd5051c46afa106a96d209d71ca969bd54bab39dd1628ba7bdd96459cfad286a
Instruction Fuzzy Hash: E351CE708053499FDB51CF79C8849AABFF4FF45320F25856EE4C89B282D3385A56CBA1

Function 0106276E Relevance: 1.7, APIs: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc4b4eab908854c91b37710f02d49b195588eba35afefa0f7ae639e4ad93877
Instruction ID: a8c6d4291d2081eefa6a3b196fdcaf7a54caaac51d67206d533b499190c49925
Opcode Fuzzy Hash: cbc4b4eab908854c91b37710f02d49b195588eba35afefa0f7ae639e4ad93877
Instruction Fuzzy Hash: 6851C0708053499FDB51CF79C844AAABBF4FF49320F15856EE4C89B242D3389A51CFA1

Function 01062A2B Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fd036dde8d14ce706c49b3d407a54acd873b33447a7c215a291418d9bc98cf
Instruction ID: 60642bd15458d1bc1931c873c2a9ec568b3dc221da9191486d3d637119507e8f
Opcode Fuzzy Hash: d6fd036dde8d14ce706c49b3d407a54acd873b33447a7c215a291418d9bc98cf
Instruction Fuzzy Hash: 4151BC708053499FDB55CF79C884AEABBF4FF49320F25856EE4C89A281D3385A51CFA1

Function 010628C0 Relevance: 1.7, APIs: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed6d9092e335fa55eeca4e8b754a6859cd606609ccb989828d7d25d73437fc8
Instruction ID: 53bbfc866455bb7071f428fbf3a2fbea93d8b4892e6d29344f9a2be37297fc5d
Opcode Fuzzy Hash: 2ed6d9092e335fa55eeca4e8b754a6859cd606609ccb989828d7d25d73437fc8
Instruction Fuzzy Hash: 54518A708053599FCB51CF79C8449AABBF4FF49320F25856EE4C8AB241D738AA51CFA4

Function 0106281F Relevance: 1.7, APIs: 1, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d783ff16b2c98fb067a600bbaf440bd852654b43900761e08d6a409c0ebc5a99
Instruction ID: 4cf80d21fb82b7d742773cc32f63d25056109d8a5ea1b8f056b75f0ce618b799
Opcode Fuzzy Hash: d783ff16b2c98fb067a600bbaf440bd852654b43900761e08d6a409c0ebc5a99
Instruction Fuzzy Hash: 27517C708053499FDB51CF75C8849EABBF4FF49320F25856EE4C49A241D338AA51CBA5

Function 010627BD Relevance: 1.6, APIs: 1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cef01d453063d3b24ba3af64c45c44e2cabe96391830335a8a6879e20cc379
Instruction ID: fee83481c58b2b1da2aee95fe1750fa5ad915d5c23f7ba223730bc0b84abcc02
Opcode Fuzzy Hash: a0cef01d453063d3b24ba3af64c45c44e2cabe96391830335a8a6879e20cc379
Instruction Fuzzy Hash: 59519E708053599FDB51CF79C8449EABBF4FF49320F25856EE4C8AA281D3385A51CFA1

Function 01062EA3 Relevance: 1.6, APIs: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57c878cade55b9a5f4dce5a2754a913cfd779995218c234b92212c136dd31e3
Instruction ID: ca8ceba99b66127cd04492e2ea273766ffaae17eedf4b05fea652d0bfeb6f50d
Opcode Fuzzy Hash: f57c878cade55b9a5f4dce5a2754a913cfd779995218c234b92212c136dd31e3
Instruction Fuzzy Hash: 6E519D708053599FDB51CF79C8449EABBF4FF49320F25856EE4C8AA282D3385A51CFA4

Function 01062E0E Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 01063018

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5b02faa9a72b5632f312f83f7d43db289a1979848df0c796d9c205f846fb2faf
Instruction ID: f498fbca91a9af8e61620d7a22c3651db31d1ecf40d80629fbaddad89dcd6c72
Opcode Fuzzy Hash: 5b02faa9a72b5632f312f83f7d43db289a1979848df0c796d9c205f846fb2faf
Instruction Fuzzy Hash: B651BE708053599FCB51CF79C8449EABBF4FF49324F25856EE4C8AA242D3385A51CFA4

Function 01063129 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 010631CC

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1af385af1771737482c480f971dd456cdb6b138a69316256822a04a0cc82e770
Instruction ID: f783da3505e7e05d6ebb94a9934f10bcaac0312db311af0952361b3ba5e066b9
Opcode Fuzzy Hash: 1af385af1771737482c480f971dd456cdb6b138a69316256822a04a0cc82e770
Instruction Fuzzy Hash: 873126B19003499FDB10DFAAC884ADEBFF5FF48310F108429E919A7340C7759A55CBA0

Function 01063130 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 010631CC

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 54aa33ef9b1c7e62e4fdcd16401dc9e09cee45e249efe201093746de30b2aa20
Instruction ID: 1fa1fa74a51109fe3cb3e45e4ffb8cbd733d0e262bca05e6c48a043030ce24dc
Opcode Fuzzy Hash: 54aa33ef9b1c7e62e4fdcd16401dc9e09cee45e249efe201093746de30b2aa20
Instruction Fuzzy Hash: 3E2115B59003499FCB10DFAAD885ADEBFF5FF48314F20842AE919A7340C7759A54CBA0

Function 01062F90 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 01063018

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 80c86197d9e990f59d99f63fce89da98bc81ebc4d3784e7fb26a06eb2f3ccf57
Instruction ID: 5ae0eb7f37888d20782566cc0754be0eb1ea65c37cf6e2c3dca0496fd6572f02
Opcode Fuzzy Hash: 80c86197d9e990f59d99f63fce89da98bc81ebc4d3784e7fb26a06eb2f3ccf57
Instruction Fuzzy Hash: 9B2139B1C003499FDB10DFAAC885AEEFBF5FF48310F108429E559A7240D7789945DBA5

Function 01062F98 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 01063018

Memory Dump Source

Source File: 00000000.00000002.1649636877.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1060000_LisectAVT_2403002A_96.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 646f66bb35b79fcc08e3131441382103196d5c80e22862ad80f85eebd1a35d26
Instruction ID: 82d69cd64404d4a80ca4a629c10e642d31271ea0850cc6ee9638f2d1f8e93411
Opcode Fuzzy Hash: 646f66bb35b79fcc08e3131441382103196d5c80e22862ad80f85eebd1a35d26
Instruction Fuzzy Hash: 0D2137B18003499FDB10DFAAC885AEEFBF5FF48320F10842AE559A7240C7789944DBA5

Analysis Process: RegAsm.exePID: 7084, Parent PID: 6832COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	43.8%
Total number of Nodes:	48
Total number of Limit Nodes:	4

Executed Functions

Function 004324B2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00432543
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0043258B
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043262B
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00432673

Strings

4JH, xrefs: 004325BF, 00432679

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: 4JH
API String ID: 292159236-2930965107
Opcode ID: d481d630a5b8d5a9e8a5691eb967baa4d0b19a6a76c4a807ddfd3ffdc9a89d23
Instruction ID: e57bc33411c52b55f67eae1a2d9bac0583ccc31d05605645e86a6c579d410437
Opcode Fuzzy Hash: d481d630a5b8d5a9e8a5691eb967baa4d0b19a6a76c4a807ddfd3ffdc9a89d23
Instruction Fuzzy Hash: 475117B5200B009FE734CF14C855B17B7E5FB09315F148B2DE6A68BBA0D7B4E9498B98

Function 00435440 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004355B5
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00435627

Strings

@, xrefs: 00435500
,, xrefs: 0043558C

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,$@
API String ID: 292159236-1227015840
Opcode ID: 856cd1b58afa6bc134fa03a889fbc70798f28364a2ecd4c6e9760d5773f632fd
Instruction ID: f8360100b9cb7d3cb57d77f65ba4c6ccbb3f9379dda1dcf08f2b3c6d20ea6815
Opcode Fuzzy Hash: 856cd1b58afa6bc134fa03a889fbc70798f28364a2ecd4c6e9760d5773f632fd
Instruction Fuzzy Hash: BB519EB11047009FE710CF14CC46B5BBBE5EF88318F158A2DF5A98B3E0E77999088B86

Function 00432987 Relevance: 6.2, APIs: 4, Instructions: 157
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00432ACD
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00432B1C

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 42dae8a1bee0bef5fb7ba0b2853ffd8c3125a0c385f60d813a3b9d2991cfd157
Instruction ID: 295fa45e4d408423eabf138bee41277be027f8e9f289c2ea6cb46de8400daab2
Opcode Fuzzy Hash: 42dae8a1bee0bef5fb7ba0b2853ffd8c3125a0c385f60d813a3b9d2991cfd157
Instruction Fuzzy Hash: F95113B5100B009FE324CF04C895B17B7F4BB09715F148A2DE6A68BAE1C7B5B9498B98

Function 00432C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00432C36

Strings

JM, xrefs: 00432C73

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: FreeMemoryVirtual
String ID: JM
API String ID: 3963845541-1126336605
Opcode ID: 4c57a4efb765355fab4178c6956b6285595b26ad7eb704c4faddeec0770cddab
Instruction ID: 7792fbddc69783f63ebb1d4035c585e78bd1a7d627786f70673d153a23fe61f1
Opcode Fuzzy Hash: 4c57a4efb765355fab4178c6956b6285595b26ad7eb704c4faddeec0770cddab
Instruction Fuzzy Hash: 463127751447814BE718CF24CC907577BE0FB06325F18665DD893CB6A7D678E546C708

Function 0043286A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL ref: 004328A5

Strings

`LH, xrefs: 004328A7

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Close
String ID: `LH
API String ID: 3535843008-2472401817
Opcode ID: 86ab5c0938e1b830f481357698d7d6090946e8db4a46c1e3f054870f591dd6ac
Instruction ID: 3204b7d4919afa1bd31a539cca70297fecf578bfa73307c8a78c10fe3bfb4898
Opcode Fuzzy Hash: 86ab5c0938e1b830f481357698d7d6090946e8db4a46c1e3f054870f591dd6ac
Instruction Fuzzy Hash: EEE01279484004DBCB45FF68FC42D647661FF9A30A7101074E802E1232DF6A1A64AE1D

Function 00414280 Relevance: 3.1, APIs: 2, Instructions: 77
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00414321
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00414365

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 0177d12dfe376cca5f37222a2906533dcaa952e0eb16e3c2ccb901f969772b5a
Instruction ID: 868897cf0748b6c88601c0dcc4a7e9804739e8613007b25ed20e9ee7eb803c6b
Opcode Fuzzy Hash: 0177d12dfe376cca5f37222a2906533dcaa952e0eb16e3c2ccb901f969772b5a
Instruction Fuzzy Hash: AA21AFB5109315AFE310CF08D845B5BBBE8EBC5764F108A2DF9A4873D0D3B49944CB96

Function 004327F1 Relevance: 1.5, APIs: 1, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000002), ref: 0043282D

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 035a58a4ac49a97b24cc7d0bd94c7107132f3e706de7e0b625d0706f1f055b85
Instruction ID: 7d97224ab8d063000262d9b4a55516943ef22394f512bf34d6ca9625f87aa892
Opcode Fuzzy Hash: 035a58a4ac49a97b24cc7d0bd94c7107132f3e706de7e0b625d0706f1f055b85
Instruction Fuzzy Hash: 21F01C79280740AFE7209F18DC42F11B7F1BB4A704F200518F792AAAE1C7B67850CB08

Function 004327AF Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000004), ref: 004327C9

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: OpenSection
String ID:
API String ID: 1950954290-0
Opcode ID: 100327a6f294a97e0d3f15f25135b08b87efce59eb2cea405b9adfa94b504eb5
Instruction ID: 26adc72d2ccf5801e9a77bfe4c4923719abfef157c5aa9430de75e6ed24b83b7
Opcode Fuzzy Hash: 100327a6f294a97e0d3f15f25135b08b87efce59eb2cea405b9adfa94b504eb5
Instruction Fuzzy Hash: F9E0C2B9080240DBE744DB64EC02B32B3A1B789309F14202CE383EB6A1C771FD528F88

Function 00408BA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00408C12

Strings

eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance, xrefs: 00408BDA

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance
API String ID: 621844428-3721107060
Opcode ID: b71804b9997aa554e16004a83a96f55f800cf84d45723589b227d08796950f40
Instruction ID: f1808be77cff1eb31d72e978934db848b61890ee2b0dfd9146d7a31faa626585
Opcode Fuzzy Hash: b71804b9997aa554e16004a83a96f55f800cf84d45723589b227d08796950f40
Instruction Fuzzy Hash: D8F01DB040D600CAD6007B65970636A7BB4BF51394F20553FE4D7711C1EE7DA446AA6F

Function 00430EBB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00430F4C

Strings

\-"#, xrefs: 00430F08

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID: \-"#
API String ID: 3298025750-2514456039
Opcode ID: ca35d4fa510ca61bad3c211c373f68befa3b02ba84f1bee3b89ec66d48974bdb
Instruction ID: 812974517138c8aff2ad21617ce4751b91424872a0d23016b608d76a644f7d63
Opcode Fuzzy Hash: ca35d4fa510ca61bad3c211c373f68befa3b02ba84f1bee3b89ec66d48974bdb
Instruction Fuzzy Hash: 00112E742083409FD318CF14D8A4B2FBBA1FBC5318F148A5DE8AA47791C7799916CF86

Function 0043349A Relevance: 1.6, APIs: 1, Instructions: 124
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00433631

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 453e1395d4cd7f01499e03e2c3fd89198ecca2b65677bebf01668ae4618eeb37
Instruction ID: 05879597b36f340204e54eefabb3aa78cb91631a6f28e7ec5fb6b6756ed41326
Opcode Fuzzy Hash: 453e1395d4cd7f01499e03e2c3fd89198ecca2b65677bebf01668ae4618eeb37
Instruction Fuzzy Hash: AE418FB8100B42AFD314CF16ECA1626BBB1FB46706F50862DD49647B61D738F6A1CF98

Function 00430D33 Relevance: 1.6, APIs: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00430DDC

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 378380c59ab7deeedbf844b2be65350c1b2df18023da69360a3b69a43fc4cd10
Instruction ID: 6c7d86bb20e7512e0980dc883ce85d6ef295a5f790affbbfa7a9690a99a341db
Opcode Fuzzy Hash: 378380c59ab7deeedbf844b2be65350c1b2df18023da69360a3b69a43fc4cd10
Instruction Fuzzy Hash: 644144342406018FD314CF29C894B16BBE3EB89324F24C66DD9A58B7A5D776F857CB84

Function 00432E56 Relevance: 1.6, APIs: 1, Instructions: 64
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00433631

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 197706f2a6f4593b94a649efe21b69c80866ef0c4be32c16bef3ca1d0a16588b
Instruction ID: 58631fd8b282c1a11470803616a2f005a7f8d0b17c781736e0482700b0d315c4
Opcode Fuzzy Hash: 197706f2a6f4593b94a649efe21b69c80866ef0c4be32c16bef3ca1d0a16588b
Instruction Fuzzy Hash: E62190B4100B42AFD314CF22EC91626BBB1FB46306F50861DD45607B61D738A691CF98

Function 00433396 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 0043342A

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1d9fafaf88a8faf340e27bd8f8408155bedffa904f35b9538d4d166bcb0415c7
Instruction ID: ac2c790b1fc1a3f59a991d20ee33573d98549c45b6f28e19746bc35e08f0584e
Opcode Fuzzy Hash: 1d9fafaf88a8faf340e27bd8f8408155bedffa904f35b9538d4d166bcb0415c7
Instruction Fuzzy Hash: 9E1103B9200B428BC318CF24D9A0717BBB1FF4A315B509A5CC4A65BB61C734E981CB88

Function 004331B5 Relevance: 1.5, APIs: 1, Instructions: 48
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 0043323E

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9d142ec2f202c3a93a3bc966abc59e870bd095bf133c8f10dd987d28d565b27c
Instruction ID: 327e9fcf5c09f3c99b27c50919e6ad6266d6078656913635956d24c9b1847ba5
Opcode Fuzzy Hash: 9d142ec2f202c3a93a3bc966abc59e870bd095bf133c8f10dd987d28d565b27c
Instruction Fuzzy Hash: 5E114C751007428BD319CF15C5A0626FBB2BF46314F19D69DC4A64BB55CB34E581CF84

Function 004341B0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00408C07), ref: 004341C8

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 513b45c6974d4a246ee32657e5f30ea2f279fd49f7bf0d96532289f74e7f9a1a
Instruction ID: 34726e395fa879ebbd2bdff8ea1e481c3f1f4678e9850b4833e67583b8036a63
Opcode Fuzzy Hash: 513b45c6974d4a246ee32657e5f30ea2f279fd49f7bf0d96532289f74e7f9a1a
Instruction Fuzzy Hash: A0D092B9A00000ABDF016FA0FD4AA1A3B36BB86B4771811B9B121D1070DBB69A50EB1D

Non-executed Functions

Function 0042AE40 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 166COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042AE8B
GetSystemMetrics.USER32 ref: 0042AE9E
DeleteObject.GDI32 ref: 0042AF08
SelectObject.GDI32 ref: 0042AF5A
SelectObject.GDI32 ref: 0042AFCD
DeleteObject.GDI32 ref: 0042B007

Strings

sWH, xrefs: 0042B071
RWH, xrefs: 0042B0DF
RWH, xrefs: 0042B100
RWH, xrefs: 0042B0A8
HVH, xrefs: 0042B066
UH, xrefs: 0042B0EA
RWH, xrefs: 0042B0B3
VH, xrefs: 0042B07C
, xrefs: 0042AF9C

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID: $HVH$RWH$RWH$RWH$RWH$sWH$UH$VH
API String ID: 3911056724-4180904444
Opcode ID: e055fe877abc44b63b1dcfdcb8bd3dedf39a36a7745de8474bb4adde08ef3ca1
Instruction ID: d336f9680c2c80765347343122a820d99364ef955cbf8dd5265351ec383eaf10
Opcode Fuzzy Hash: e055fe877abc44b63b1dcfdcb8bd3dedf39a36a7745de8474bb4adde08ef3ca1
Instruction Fuzzy Hash: A69165B4919380DFD764EF68D584B9ABBF0FB89304F50992EE88987350D7749848CF4A

Function 0041CF46 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 436COMMON

Download Yara Rule

Strings

J%, xrefs: 0041D01D
JQ, xrefs: 0041D009
[Q, xrefs: 0041D013
E, xrefs: 0041D29A
57, xrefs: 0041CF87
)+, xrefs: 0041CF7D
=?, xrefs: 0041CF9B

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: E$J%$JQ$[Q$)+$57$=?
API String ID: 292159236-1103543027
Opcode ID: 0bb61f644cf164a5b7bd3e7e5a4839d0630b2550bb2a8b415e81011de3df14a6
Instruction ID: af662492b1772ae99da2f549c3987d361bf92e187eff3c49f3daefb35f4ab968
Opcode Fuzzy Hash: 0bb61f644cf164a5b7bd3e7e5a4839d0630b2550bb2a8b415e81011de3df14a6
Instruction Fuzzy Hash: FE0262B1100B05CFE724CF25D885BA7B7E4FB49304F548A2DE5AB8BAA0DB74B445CB58

Function 004095E0 Relevance: 17.9, Strings: 14, Instructions: 422COMMON

Download Yara Rule

Strings

%I8O, xrefs: 00409A7A
m]8c, xrefs: 00409AA2
J9S?, xrefs: 00409A5A
E-^3, xrefs: 00409A42
,Y+_, xrefs: 00409A9A
*E0K, xrefs: 00409A72
b5K;, xrefs: 00409A52
0, xrefs: 0040963D
1A;G, xrefs: 00409A6A
<U%[, xrefs: 00409A92
)M:S, xrefs: 00409A82
X)\/, xrefs: 00409A3A
c%U+, xrefs: 00409BB8
&QaW, xrefs: 00409A8A

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %I8O$&QaW$)M:S$*E0K$,Y+_$0$1A;G$<U%[$E-^3$J9S?$X)\/$b5K;$c%U+$m]8c
API String ID: 0-997815367
Opcode ID: d7fb3e74ec2e28aa543b637f803960ee737ed12f5e5709a3deba42899b75493b
Instruction ID: 8b2ad76d28e35d9b16d3389fbbbd24c75959c0fa443f5104ffe7841e359e9b10
Opcode Fuzzy Hash: d7fb3e74ec2e28aa543b637f803960ee737ed12f5e5709a3deba42899b75493b
Instruction Fuzzy Hash: DA0202B02183818BE324CF15C4A4B6FBBE1BBC2348F144D2DE5D59B392D7799909CB96

Function 00426D8E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 243COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00426D98

Strings

Z, xrefs: 00426F4E
C, xrefs: 00426F46
E, xrefs: 00426F56
G, xrefs: 00426F3E
@, xrefs: 00426F2E
w, xrefs: 00426F26
L, xrefs: 00426F36

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: String
String ID: @$C$E$G$L$Z$w
API String ID: 2568140703-3096178343
Opcode ID: 87b9087248ae5eace9f90d9ca8cc5c9f7d9fa184371e6c5ee72b762536391599
Instruction ID: 9e35a21059ff4ddcf5d1cec1c932da6d5e7adec0eece979922aa03f3d44e8adc
Opcode Fuzzy Hash: 87b9087248ae5eace9f90d9ca8cc5c9f7d9fa184371e6c5ee72b762536391599
Instruction Fuzzy Hash: 5CA1E57170D3908FD725CA28D89479EBBD2AFD5320F598A2DD8D98B3C1CB798804C742

Function 0041FB8E Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 637COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0041FC9D
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0041FCC6
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 004200DD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042010B

Strings

{cH, xrefs: 00420348
qrs, xrefs: 004201CB
MO, xrefs: 004201B6

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: MO${cH$qrs
API String ID: 237503144-732795104
Opcode ID: 8670f8c9293279a242689b2c3cfda6a3a1a1e25064178ff9fa20b943fc823e12
Instruction ID: 65a3cd21bf31c4a700145bba2377a232baa2ce444e148d85dfe348caaee142c8
Opcode Fuzzy Hash: 8670f8c9293279a242689b2c3cfda6a3a1a1e25064178ff9fa20b943fc823e12
Instruction Fuzzy Hash: AC325AB0500A009FD724CF29C495B17BBE1FB89324F158A5DD8AA8BB99D734E816CBC5

Function 0041CB80 Relevance: 12.8, Strings: 10, Instructions: 261COMMON

Download Yara Rule

Strings

s}, xrefs: 0041CE20
s;, xrefs: 0041CE28
@%z', xrefs: 0041CBE1
d9:;, xrefs: 0041CC09
d)C+, xrefs: 0041CBE9
Z-K/, xrefs: 0041CBF1
8#, xrefs: 0041CE30
s1]3, xrefs: 0041CBF9
Y5[7, xrefs: 0041CC01
X!G#, xrefs: 0041CBD9

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 8#$@%z'$X!G#$Y5[7$Z-K/$d)C+$d9:;$s1]3$s;$s}
API String ID: 0-3001701124
Opcode ID: 78fa73f9304cb6e3878cd8a34dcb9abd98b3adb902670527a849b8cb8d2205ba
Instruction ID: 19c8075aa3001c786487764f0464367b61e8b25b92a190ce5d8e6f54d34452f3
Opcode Fuzzy Hash: 78fa73f9304cb6e3878cd8a34dcb9abd98b3adb902670527a849b8cb8d2205ba
Instruction Fuzzy Hash: 74919AB06083418BD714CF18D8906ABBBF1FF82354F148A2DF9A65B391E378D945CB96

Function 00420F04 Relevance: 11.3, APIs: 4, Strings: 2, Instructions: 802nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004228F6
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0042294F

Strings

Y]KB, xrefs: 00422C69
EXEC, xrefs: 00422C62

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: EXEC$Y]KB
API String ID: 292159236-105863924
Opcode ID: b01179a94c9c1e486c4d7d47bd9e708c0eecc83578f5eda10a58d939a586235d
Instruction ID: b8fe15191a4cb810a11d2c1cdebb326c90956e945b5c8991cfbfe6dc89b5b8e9
Opcode Fuzzy Hash: b01179a94c9c1e486c4d7d47bd9e708c0eecc83578f5eda10a58d939a586235d
Instruction Fuzzy Hash: 1A52DF70204B508BD335CF29C5947A3BBE2BF56314F548A5ED4EB8BB91C7B8A409CB58

Function 0041A880 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041AB42
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041AB97

Strings

`w, xrefs: 0041AC78
JaLc, xrefs: 0041ABD8
IXta, xrefs: 0041AD0C
~w, xrefs: 0041AC70

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: IXta$JaLc$`w$~w
API String ID: 292159236-2358998091
Opcode ID: 1e42106d24df261cb5d18390cad165dcb4a8f8667792d7f965dff132a2665357
Instruction ID: bfa11fb85def840ccfc55144673c2037c260f26699fa6ce15004a86c85d04321
Opcode Fuzzy Hash: 1e42106d24df261cb5d18390cad165dcb4a8f8667792d7f965dff132a2665357
Instruction Fuzzy Hash: 8F613EB0219381AFD364CF08D884B5BBBF1FB81744F50992DF5A58B2A1D774D849CB86

Function 00431950 Relevance: 9.4, APIs: 6, Instructions: 396nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00100000,00003000,00000004), ref: 004319A0
NtAllocateVirtualMemory.NTDLL(000000FF,0000BA00,00000000,?,00003000,00000040), ref: 00431AA0
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000010,00008000), ref: 00431AFC
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00010000,00008000), ref: 00431B46
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00003000,00000004), ref: 00431B6C
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00431E54

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 157d70de22d84546dcc6f03ec508dbbd0ac7a1b4d7918f13c0c178961d6826b7
Instruction ID: 6e07ae5db53da8b8030a6f5ed98da4aac5f7c7e97a2b8d8c8d50efb31124d513
Opcode Fuzzy Hash: 157d70de22d84546dcc6f03ec508dbbd0ac7a1b4d7918f13c0c178961d6826b7
Instruction Fuzzy Hash: D7D1CF716083419FC714CF18C891B1FBBE1AF89314F148A2EF9A58B3A1D775D905CB56

Function 00401700 Relevance: 9.3, Strings: 7, Instructions: 578COMMON

Download Yara Rule

Strings

., xrefs: 004017AA
[, xrefs: 00401969
0, xrefs: 004017A4
null, xrefs: 00401ACD
false, xrefs: 00401892
., xrefs: 004017CF
true, xrefs: 0040187A

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .$.$0$[$false$null$true
API String ID: 0-2094208800
Opcode ID: 336e1c7765ce89bb735e74a889a6d7a4bd5a3082db35aa5a2400fc6e68fc1a1d
Instruction ID: 41d43fbf767d37e6ec8a8abe32da969266ce922f9d187371dfd17c08855f5b2d
Opcode Fuzzy Hash: 336e1c7765ce89bb735e74a889a6d7a4bd5a3082db35aa5a2400fc6e68fc1a1d
Instruction Fuzzy Hash: 6A0205B0A043098BE7105F25DD45727BAE4AF80348F18853EE8C5A73E2EB7DD954CB5A

Function 0041960A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

amjh, xrefs: 004196E2

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: amjh
API String ID: 0-1051360590
Opcode ID: 3c864a5787bef8e8bf11816a1f0be47a4128881dbfddf9688fc9d708efbe6f7c
Instruction ID: 9be15c44005d4cd772ac0dc45af3ef8c8a4b2f40223aa877db9f9181b0955942
Opcode Fuzzy Hash: 3c864a5787bef8e8bf11816a1f0be47a4128881dbfddf9688fc9d708efbe6f7c
Instruction Fuzzy Hash: 51E19CB11093908FD324CF18C891BAFB7E1FBC9714F048A2DE9A99B390C7759905CB96

Function 00436400 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 319nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004364A8
NtFreeVirtualMemory.NTDLL(000000FF,00000000,?,00008000), ref: 00436506
NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 004365CB
NtFreeVirtualMemory.NTDLL(000000FF,000000B8,?,00008000), ref: 00436628

Strings

R-,T, xrefs: 00436550

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: R-,T
API String ID: 292159236-635581381
Opcode ID: 25cc491f51e0b02a01cc23991ae46c5c8c7385e2a947bdd4057e2fd019247081
Instruction ID: 6766c571de64f46344bf9091094ab8d6f915d2aa4d0fce071a77462ede05d51d
Opcode Fuzzy Hash: 25cc491f51e0b02a01cc23991ae46c5c8c7385e2a947bdd4057e2fd019247081
Instruction Fuzzy Hash: 15B1BE756083029FD310CF18C881B1BF7E6EF88754F158A2DE9A49B3A0D7B5E905CB86

Function 0042AC90 Relevance: 7.6, APIs: 5, Instructions: 136clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0042ACCA
GetClipboardData.USER32 ref: 0042ACE7
GlobalLock.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0042AD0D
GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042AE0B
CloseClipboard.USER32 ref: 0042AE15

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: c74de18eb7989096d09118fb3c0b39538c3871bbba6d16bab27a7ae700e19bbc
Instruction ID: 7405af5fef2ee02590b6c5cda373b50619dce14ffee90a184e179fa75e513b97
Opcode Fuzzy Hash: c74de18eb7989096d09118fb3c0b39538c3871bbba6d16bab27a7ae700e19bbc
Instruction Fuzzy Hash: 79518F70508B90DFD3209F68E088756FFF0AB05304F548A6AD8D687B81D379B869DB97

Function 00419080 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 333nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004193A9
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004193F2

Strings

z9I;, xrefs: 004190E6
>!, xrefs: 004190A6

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: >!$z9I;
API String ID: 292159236-571071913
Opcode ID: c2d6abffb20397381d36a57533f72bf4df7645fb43c2d5d99f013694d5bca3d9
Instruction ID: aa37f20bd95380eb3b1cf3ce97e7b55e3a9c329d782f0430e56bd6cf2f5431aa
Opcode Fuzzy Hash: c2d6abffb20397381d36a57533f72bf4df7645fb43c2d5d99f013694d5bca3d9
Instruction Fuzzy Hash: 5391FFB1508315ABD710DF14C862BABB7E4EF55364F04492DE8919B390E378DD84C79A

Function 0041D860 Relevance: 6.4, APIs: 4, Instructions: 377nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041D90B
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041D962
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041DA21
NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 0041DA74

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: c05590aa284f659ab1ff88a352693644d4d9c9bbbb4b0d03a98c03f22095cace
Instruction ID: f12e9bd3b3976943500a4a5f30f00e633bcb2abb5d438019c33a3e3fa2868f53
Opcode Fuzzy Hash: c05590aa284f659ab1ff88a352693644d4d9c9bbbb4b0d03a98c03f22095cace
Instruction Fuzzy Hash: 8FD112B1A083118FE710CF18C88175BBBE1EF85754F14892EF59997390E7B8D948CB8A

Function 00436060 Relevance: 6.3, APIs: 4, Instructions: 293nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00436108
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00436165
NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 00436226
NtFreeVirtualMemory.NTDLL(000000FF,D2FF0000,00000010,00008000), ref: 0043627F

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 36e699c151b95e193061f1270c83b02f5e5ee10053037986066b4e40700681da
Instruction ID: 49ca7f5242dbcd3fd022b125e302c8249992bda91177800689f0051a8a520eb2
Opcode Fuzzy Hash: 36e699c151b95e193061f1270c83b02f5e5ee10053037986066b4e40700681da
Instruction Fuzzy Hash: 15B16575208306AFD714CF18C880A2BB7E5FF89754F158A2DF9948B3A0D778E905CB96

Function 004367D0 Relevance: 6.3, APIs: 4, Instructions: 268nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004368C8
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00436926
NtAllocateVirtualMemory.NTDLL(000000FF,900000C2,00000000,?,00003000,00000040), ref: 004369EB
NtFreeVirtualMemory.NTDLL(000000FF,900000C2,00000010,00008000), ref: 00436A45

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: cd884081bc9818a92c9e4489b6c376264a57f2caf2c6f68c8f954098abf983da
Instruction ID: 672c033b801017c53f79d511c546924481f449b2fd683b032dd6c08182a559c1
Opcode Fuzzy Hash: cd884081bc9818a92c9e4489b6c376264a57f2caf2c6f68c8f954098abf983da
Instruction Fuzzy Hash: B991CBB1208311AFD314DF18C851B2BB7E5EB89714F058A2DF9A99B3D0D7B49D05CB86

Function 00435D40 Relevance: 6.3, APIs: 4, Instructions: 255nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00435DE5
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00435E43
NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 00435F0A
NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000000,00008000), ref: 00435F67

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 4a3c08387ba274aee60c5d1916ac08ad76f402cccef1bc708aadcba37f2ba750
Instruction ID: bd20d81453ee42f1f4b7517343d47f95c4903e9cee43dcbda37a065a7916872a
Opcode Fuzzy Hash: 4a3c08387ba274aee60c5d1916ac08ad76f402cccef1bc708aadcba37f2ba750
Instruction Fuzzy Hash: B591AC712083119BD714CF18C881B2FB7E5EF89754F148A2DF9A49B3A0D779D905CB8A

Function 00430F80 Relevance: 6.2, APIs: 4, Instructions: 216nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00431029
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00431077
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00431142
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000010,00008000), ref: 00431192

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: a928b237f57b0b17e53b70244af814c1913241562c810474d508885c7ce79cd2
Instruction ID: c97853a5428db815bb4a3b326629f8a94def980331a2ce0bb860a58eabe7095b
Opcode Fuzzy Hash: a928b237f57b0b17e53b70244af814c1913241562c810474d508885c7ce79cd2
Instruction Fuzzy Hash: 81618AB56083019FE310CF18C841B1BB7E5FB88714F158A2DFAA49B3E0D7B4D9058B9A

Function 00431220 Relevance: 6.2, APIs: 4, Instructions: 187nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004312C9
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00431319
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004313DD
NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 00431427

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 1317986512a92aea0aef00c007c68f029f6b7b3d695bedc9aa596dc7e27db6d2
Instruction ID: 6f54af3a3fb07f1279d8d25ef031b3d3afcffbe3443a1c77ef3a1e6406ca0462
Opcode Fuzzy Hash: 1317986512a92aea0aef00c007c68f029f6b7b3d695bedc9aa596dc7e27db6d2
Instruction Fuzzy Hash: 1D5150B52083009FE310CF18C845B1BBBE5EB89754F154A2DF5A89B3E0D7B5D905CB9A

Function 00404640 Relevance: 5.5, Strings: 4, Instructions: 490COMMON

Download Yara Rule

Strings

IHDR, xrefs: 00404A88
IEND, xrefs: 00404B6F
IDAT, xrefs: 00404AF9
), xrefs: 004046CE

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: ca540d9b534587f1f1c4cf09f415fc0d99ba53e3f9cded33c2fb97ebabd2fd25
Instruction ID: 52c9ff8d80b28e55c4cceb9f7a15d076c8ed26dd8b530def0313672c4869bde4
Opcode Fuzzy Hash: ca540d9b534587f1f1c4cf09f415fc0d99ba53e3f9cded33c2fb97ebabd2fd25
Instruction Fuzzy Hash: A102FFB16083848BD714CF29D840B5B7BE1ABC5304F05857EEA85AB3D2D379D909CB96

Function 00414810 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041484D
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 0041487E

Strings

qrs, xrefs: 004148B4

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: qrs
API String ID: 237503144-2859022563
Opcode ID: 6a2eb27cb63cb8baa3aa34835cc2b373ab2eb411cd5040f0f9ccd58027fba355
Instruction ID: eda3c44ddcc75995ddaab91c4b5a5cf42fb6c5c1e63a284cc22a84cb6203eb7d
Opcode Fuzzy Hash: 6a2eb27cb63cb8baa3aa34835cc2b373ab2eb411cd5040f0f9ccd58027fba355
Instruction Fuzzy Hash: 6351CEB02183409FD320DF24C892BABB7F4EFC6714F409A1DE8D99B281DB749944CB96

Function 00435640 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00435795
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004357F2

Strings

@, xrefs: 004356DD

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: @
API String ID: 292159236-2766056989
Opcode ID: 38ed3db7c2e87a1274921157910650fb39ff12a4cbf8ea07823737d1814df106
Instruction ID: 6640b2f459528be8d0ed829b28907b644bf569f604b01024f8043f355826c467
Opcode Fuzzy Hash: 38ed3db7c2e87a1274921157910650fb39ff12a4cbf8ea07823737d1814df106
Instruction Fuzzy Hash: EB416AB60097049FD710CF14C845B1BB7E4EF89368F554A1DF9A89B3E0E3B99908CB96

Function 0041A762 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041A926
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041A97C

Strings

45, xrefs: 0041AA20

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: 45
API String ID: 292159236-2889884971
Opcode ID: d22ce7d15f1133c231ec79a868faf920eebfc69913041afbbb1573a07fd066be
Instruction ID: d172e4884ac4b56c25201fe419e0efd8a582d02c9bafbf27299bb1ac4db13203
Opcode Fuzzy Hash: d22ce7d15f1133c231ec79a868faf920eebfc69913041afbbb1573a07fd066be
Instruction Fuzzy Hash: 92512FB51193809FE324CF14C881B9BBBE5BB85708F508E1DF5A58B290C7B89849CF87

Function 00435BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00435CD5
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00435D27

Strings

@, xrefs: 00435C20

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: @
API String ID: 292159236-2766056989
Opcode ID: a90ab8a0cd4daf71cf99f0cea92b0cb68cb84263e84544a18a9e6542edb803e4
Instruction ID: 3fe43d9126eda68c299371970ff5079824eaf48954e339369717326f8e609661
Opcode Fuzzy Hash: a90ab8a0cd4daf71cf99f0cea92b0cb68cb84263e84544a18a9e6542edb803e4
Instruction Fuzzy Hash: 4B315CB51093049FE300CF14C845B5BBBE8FF89758F049A2DF9A49B3A0D3B499488B96

Function 00435940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004359F4
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00435A53

Strings

$, xrefs: 004359CB

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: 30ad43094ebbc4f817eefb129fcb90fb56446f4a3ca0fb091276ba7818ccea24
Instruction ID: b6cd4fc5617f75307aa5fadbe52b7a1f9cf99ceb11813469de56fd7ad4c8632b
Opcode Fuzzy Hash: 30ad43094ebbc4f817eefb129fcb90fb56446f4a3ca0fb091276ba7818ccea24
Instruction Fuzzy Hash: 85316FB5208314AFE310CF14DC41B1BBBE8EF89764F104A2DFAA49B3D0D7B599048B96

Function 00435AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00435B5F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00435BB9

Strings

$, xrefs: 00435B36

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: f5e773b2f091788966350e0a63bc577158c978624ae734252711e3eb6f38622d
Instruction ID: 8c0168298c7295535ec8f70261b5bf10024e0362d6a3083afa8bfc7d94816d77
Opcode Fuzzy Hash: f5e773b2f091788966350e0a63bc577158c978624ae734252711e3eb6f38622d
Instruction Fuzzy Hash: B3318F71208301AFE310DF58CC81B5BBBE5EB89754F114A29F9A49B3E0C7B1A905CB96

Function 00412277 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00412460
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004124AA

Strings

E~a, xrefs: 004124C5

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: E~a
API String ID: 292159236-3518370834
Opcode ID: 4ec0fb3348beb14298eb5bde9ead10086aa30b580c5cd0f929b09c49f456a438
Instruction ID: 11d32cca0f2d967b8800cdc6045bc695aa9ecc9cc7748b148549f3881b9b6f47
Opcode Fuzzy Hash: 4ec0fb3348beb14298eb5bde9ead10086aa30b580c5cd0f929b09c49f456a438
Instruction Fuzzy Hash: 10313AB5200B008FD324CF24C841B97B7F5FB49305F148A2DE6A68BBA0C7B5A905DB94

Function 00418E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00418EF1
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00418F58

Strings

,, xrefs: 00418EC8

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,
API String ID: 292159236-3772416878
Opcode ID: 5073f53ea448efe73cfd1a5e613e150b8b0f03f3a0146396ac1f71bdd646be84
Instruction ID: c39eaa0980eb77a23462792ed0638b2d9eb6cc88ce49c722e2c9ac0daceb6dad
Opcode Fuzzy Hash: 5073f53ea448efe73cfd1a5e613e150b8b0f03f3a0146396ac1f71bdd646be84
Instruction Fuzzy Hash: 2D314975108304AFE310CF14CC41B6BBBE9FB89754F148A1DFAA49B390D7B599448B96

Function 004146B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041475E
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004147A2

Strings

MyH, xrefs: 004146EF, 004147A8

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: MyH
API String ID: 292159236-33148060
Opcode ID: 783c9c79ea28bf6b904bb3e1589747c1a0522653b3f78ca33469997ff13faa65
Instruction ID: 89284e16cfb180a63f5b2f4dd5b3ad2cb6a359738ac1b9e6e4e8c1e1501f9b14
Opcode Fuzzy Hash: 783c9c79ea28bf6b904bb3e1589747c1a0522653b3f78ca33469997ff13faa65
Instruction Fuzzy Hash: F5317CB5901119AFDB04CF94D882BEEBBB4FB49315F140129EA22F7390D7745945CB98

Function 0041C765 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041C80C
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041C85F

Strings

&C$C, xrefs: 0041C865

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: &C$C
API String ID: 292159236-3372019179
Opcode ID: a320b92534bb12aa352c3b6f978209940fae640b8343fccefaeb5386bda2c14a
Instruction ID: a1b4da1b89d6a531a30288af52cc7f0f37e80405d102a15e68b7a4a03f5cf653
Opcode Fuzzy Hash: a320b92534bb12aa352c3b6f978209940fae640b8343fccefaeb5386bda2c14a
Instruction Fuzzy Hash: 5B216BB5200B009FE324CF24C845BA7B3E4FB46705F544A2DE6FA8B690DBB47444CB96

Function 00412F77 Relevance: 3.4, APIs: 2, Instructions: 404COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00413242
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,?,?,?), ref: 0041328F

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 846e30466f025941176c5ed187ab03b8379f7e8a16f2f023c214fb270b272f9d
Instruction ID: 370c0065ea5b4beb083f328f44a09b0753181469b918c3f1cb35a00d41c76884
Opcode Fuzzy Hash: 846e30466f025941176c5ed187ab03b8379f7e8a16f2f023c214fb270b272f9d
Instruction Fuzzy Hash: 66D18C75600B008FD324CF24C995BA7B7F1EF49304F148A6DD4AA8B7A1DB78E985CB94

Function 00405274 Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

0, xrefs: 00405B80
8, xrefs: 00405B75

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 1abdc6b63e22dd11904a1ee86f960341f2f1a47027cd18bbf98a06cdafb77c06
Instruction ID: 2685ed99e930a88b6a444edf578d8c7800c495bedd5273bf380fdebf249e4964
Opcode Fuzzy Hash: 1abdc6b63e22dd11904a1ee86f960341f2f1a47027cd18bbf98a06cdafb77c06
Instruction Fuzzy Hash: 837244716087409FD724CF28C840B9BBBE2EF84354F08892EE8899B391D779D945CF96

Function 00419C41 Relevance: 3.2, APIs: 2, Instructions: 218nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00419E02
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00419E64

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: c818f4acac1573eb2f55fa89ca4ef4672e9b9d69f08bd813ffd7a28c305afde6
Instruction ID: ef2dd0e930401fa5a73100609a87089f9c83a23e717f8076bb724ae4ec2485e9
Opcode Fuzzy Hash: c818f4acac1573eb2f55fa89ca4ef4672e9b9d69f08bd813ffd7a28c305afde6
Instruction Fuzzy Hash: 6C61C075A09201CFE318CF18E851BAAB3E5FB88314F15867DE9A9873A0C731E951CB45

Function 004220C1 Relevance: 3.2, APIs: 2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34805080d53ba31cd0dafb1168a335e08e1931c73bed86b3dde03d7fa16ec1c
Instruction ID: f67b520d0fb51807c1141d65a7a6df99394b1f85f9b6efa1675f3c862845f7e4
Opcode Fuzzy Hash: e34805080d53ba31cd0dafb1168a335e08e1931c73bed86b3dde03d7fa16ec1c
Instruction Fuzzy Hash: 33618F30109B909FD322CF38C950BA3BBE1BF46304F58499ED5E6CB2D2DB696419CB54

Function 004314A0 Relevance: 3.1, APIs: 2, Instructions: 110nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004315A2
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 004315F5

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 3739636bdda2710c77407f792419aaf8df7373abf80077719d8cd839f7acb28d
Instruction ID: 373573dada1b8fec116a7e944fa744d7db8ffbdfa9a01e3b745a84476fd8f0fc
Opcode Fuzzy Hash: 3739636bdda2710c77407f792419aaf8df7373abf80077719d8cd839f7acb28d
Instruction Fuzzy Hash: 95316FB1109301AFE304CF04C884B5BBBE4FB89358F144A2DF5A987390D7B5D909CB96

Function 00435810 Relevance: 3.1, APIs: 2, Instructions: 94nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004358B5
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 0043590D

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 47544bb659c4cfd43654f101cfe8d4759f23581a17b4450c7eb10cfe68b3c5ff
Instruction ID: 39c264756e49c1a15df50a2ec3f4bfee241a058cc953e55265a8f82379b9cd45
Opcode Fuzzy Hash: 47544bb659c4cfd43654f101cfe8d4759f23581a17b4450c7eb10cfe68b3c5ff
Instruction Fuzzy Hash: B2318FB5108315AFE710CF14D845B5FB7E8EB89724F00862DF9A4973D0D7B49A08CB96

Function 00416492 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 00416561
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004165CE

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: aa6079a2d465fcca66b080a542ad6d32fd647b3d6439b3602048b88abe4e3342
Instruction ID: 662979595e1f8448e9bc717329ca2773543966924be9934eb7ee8aa9e4973668
Opcode Fuzzy Hash: aa6079a2d465fcca66b080a542ad6d32fd647b3d6439b3602048b88abe4e3342
Instruction Fuzzy Hash: 7B319EB52083409FE320CF14C845B9BB7E5BBC8314F104A2DE6A99B3D0CBB4D909CB96

Function 00412700 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004128BC
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00412926

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: a2c0668474d3c721ace4716a2093cf44091f707ee633c9640d5b9477d6de5c45
Instruction ID: 89ad83917c57849a99ccee8b3a6a282fdf18feef20c8f14891511dd553be9e7c
Opcode Fuzzy Hash: a2c0668474d3c721ace4716a2093cf44091f707ee633c9640d5b9477d6de5c45
Instruction Fuzzy Hash: 71318D752407019FE324CF28C841BA773F5EB85314F248A2DE6B697BD0DBB5A805CB94

Function 00431710 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004317D5
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 0043181F

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: c22cad9922336621611a5ba96424e7c162cdbfab6079ca7b48d45348b6a5d34d
Instruction ID: 2c3b7f65c9778523a6217a447f64df0a55ff9242bb1c7e90e8322349b2f22bc1
Opcode Fuzzy Hash: c22cad9922336621611a5ba96424e7c162cdbfab6079ca7b48d45348b6a5d34d
Instruction Fuzzy Hash: 5531C3752043049FE314DF04C845B1FB7E8EB85754F199A2DF9A48B3E0C7B98849CB9A

Function 0041C5F0 Relevance: 3.1, APIs: 2, Instructions: 91nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041C68E
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041C6DC

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 95b4433346de604a57decd086e46d7ea66cc79d2f21a47821e9884c1906957b7
Instruction ID: 5004e03b200649e865742a75115f279f857f3c9b49231f41bfc5bfaa4fcfa137
Opcode Fuzzy Hash: 95b4433346de604a57decd086e46d7ea66cc79d2f21a47821e9884c1906957b7
Instruction Fuzzy Hash: 7B3106B5201B108FD324CF28C985B56B7F5FB48714F508A2DE6AA87B90D775B805CB54

Function 0041EDB2 Relevance: 3.1, APIs: 2, Instructions: 90nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041EE44
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041EE93

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 40a6e9a88eff1cf3dced5062257cdb4bcc8a8ab64e59868662a6492c10e729d3
Instruction ID: bc97ef5a6b9aba287739b4455e37505b36f581c285794e946224220d9b43c55b
Opcode Fuzzy Hash: 40a6e9a88eff1cf3dced5062257cdb4bcc8a8ab64e59868662a6492c10e729d3
Instruction Fuzzy Hash: 052126B5101B008FE324CF15C845B57B7F5FB49705F104A2DE9A687BA0C7B4B908CB98

Function 00414D10 Relevance: 3.1, APIs: 2, Instructions: 87nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00414DAC
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00414E03

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 827742012b53ffb956235984f13c0178477c2ebd437e590f19bd19c6f341695e
Instruction ID: e21d31337b195916cbb3e7d6e06b2d062e57eb2767732df694966801d4ad23bf
Opcode Fuzzy Hash: 827742012b53ffb956235984f13c0178477c2ebd437e590f19bd19c6f341695e
Instruction Fuzzy Hash: 6F3186B1108345AFD750CF04C881BABBBE5FB88714F505A2DFAA5872A0D774D844CB5A

Function 00417305 Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004173AC
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004173F6

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 48f30e354db75d0fa2dcb1ac3f84d331473e3a9368c37d07d5c1377ccd77e318
Instruction ID: c9c7b957e64fe2e7d63f6ecf1f4768f9f08e564ed570af856d7a03f108a46801
Opcode Fuzzy Hash: 48f30e354db75d0fa2dcb1ac3f84d331473e3a9368c37d07d5c1377ccd77e318
Instruction Fuzzy Hash: 1A318CB51083459FD314CF18C881B6BB7E5FB89309F144A2DFAA5973A0C7B5E905CB4A

Function 0041541A Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004154D9
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0041552D

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 00065bc885ccb2301342028d2e1d2da75b2b2aa27fbf5402ff18a715aa299922
Instruction ID: 278507a08f5af3b181118b873276c577df7c409526f840b0eed888fd091c052b
Opcode Fuzzy Hash: 00065bc885ccb2301342028d2e1d2da75b2b2aa27fbf5402ff18a715aa299922
Instruction Fuzzy Hash: DF3189B2219340AFD314CF18C881B6BB7E4AB89718F545A2CF6A5DB3A0D774D804CB4A

Function 00431600 Relevance: 3.1, APIs: 2, Instructions: 81nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004316A5
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 004316EB

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: de3270cfd8f4fa526337b5d4f90f01e957131db555acf8c6aea374fdb7c32536
Instruction ID: c35680033795f098efc5421160bde45de33c357b61e38b53ffe78f44d28b410c
Opcode Fuzzy Hash: de3270cfd8f4fa526337b5d4f90f01e957131db555acf8c6aea374fdb7c32536
Instruction Fuzzy Hash: 5621F1B51083059FE310CF44C845B1BBBE8EB84704F14892DF9A48B3E0C7B59908CB96

Function 00416790 Relevance: 3.1, APIs: 2, Instructions: 81nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 0041682A
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00416882

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: ccc271ce4834fb6ab81506d54b6ebbb012f350948a4cdc6b0f5bccc42e909f27
Instruction ID: 720153c1f65c8f26b5d20917e99fe5eefd48c24c676ba47020318df60b0e615c
Opcode Fuzzy Hash: ccc271ce4834fb6ab81506d54b6ebbb012f350948a4cdc6b0f5bccc42e909f27
Instruction Fuzzy Hash: E5218EB52183408FE324CF14C841BAFB7E8FB89305F104A2DE6A997391C7749909CB9A

Function 0042F1E0 Relevance: 3.1, APIs: 2, Instructions: 80nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0042F281
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 0042F2DA

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 18e8c0dd9ebe68ac0df007a971596653b35d8e4150956291f8ca6074491937a4
Instruction ID: cd220f0b313901de8ba89210f0484f636b3935d8fc13056dc4fe951aea46baac
Opcode Fuzzy Hash: 18e8c0dd9ebe68ac0df007a971596653b35d8e4150956291f8ca6074491937a4
Instruction Fuzzy Hash: 5F218DB5208310AFD300CF44D840B1FBBF8EB86754F108A2DFAA497390D7769908CBA6

Function 00417C59 Relevance: 3.1, APIs: 2, Instructions: 80nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00417D03
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00417D46

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: c31a6071f5fd7f96317114b26a8910f1a884ffd4622189ef5279387d2d96cc47
Instruction ID: 3db4b3e1d00fd50a9bc169d524c4fee68065df46d58180670e460394c7cd3ea8
Opcode Fuzzy Hash: c31a6071f5fd7f96317114b26a8910f1a884ffd4622189ef5279387d2d96cc47
Instruction Fuzzy Hash: F3318CB5A1021A8FDB04CF98C885BEEB7B4FB09715F144228E521F73D0D7759A04CBA8

Function 00431840 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004318E5
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 0043193A

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 32b84dfc94bb73d8406914cca6e252c7cae1e96feb907231bc762d0ea80a401c
Instruction ID: 6b126e7e0ce0632770a5d6b7a5534b564c0ae88b5910b704f1aeaa45c0594127
Opcode Fuzzy Hash: 32b84dfc94bb73d8406914cca6e252c7cae1e96feb907231bc762d0ea80a401c
Instruction Fuzzy Hash: BB21BDB1108304AFD310CF04C840B5BBBE8EB89754F108A2DFAA5873A0D7B59908CBA6

Function 004156F7 Relevance: 3.1, APIs: 2, Instructions: 71nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00415AE5
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00415B39

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 1a5af60e32216ef9f3611fc47d51c7df91418815ac4bd59391b9ca0a8d076c36
Instruction ID: 54d6ea0e2f743d7e5857fbe281753a3b1fccb42ff69e2b202ed6251b16fdd3c7
Opcode Fuzzy Hash: 1a5af60e32216ef9f3611fc47d51c7df91418815ac4bd59391b9ca0a8d076c36
Instruction Fuzzy Hash: 0D314AB5208340AFD364CF04C885B5BB7E4FB85354F505A2DF9A5973A0CB749904CB4A

Function 004212E2 Relevance: 3.1, Strings: 2, Instructions: 562COMMON

Download Yara Rule

Strings

p}w/, xrefs: 00421A21
Tzrp, xrefs: 00421A2B

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Tzrp$p}w/
API String ID: 0-1275741564
Opcode ID: 77a4f5eb5d99b2075c0fd27f64357495d895f34beae2b97a9c96fb5bd27607c3
Instruction ID: 8516eb65667c1b9dfb56d3a02e1b180b79a41715407cea7974276e7dc11585d9
Opcode Fuzzy Hash: 77a4f5eb5d99b2075c0fd27f64357495d895f34beae2b97a9c96fb5bd27607c3
Instruction Fuzzy Hash: 8D227D70204B908AE725CF34C494BE3BBE1BB66304F48899DD0FB8B293DB796509CB55

Function 00423216 Relevance: 2.0, Strings: 1, Instructions: 721COMMON

Download Yara Rule

Strings

U;Gy, xrefs: 004239FD

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: U;Gy
API String ID: 0-1665677991
Opcode ID: f1806364249207e65d897304ebc93d72f4f27ce44e147a4eade0884c6cd842c7
Instruction ID: d7258c4eb2ce83d0554d98002dc95a6a6c56b53b7fbc30ec147fd3360628309c
Opcode Fuzzy Hash: f1806364249207e65d897304ebc93d72f4f27ce44e147a4eade0884c6cd842c7
Instruction Fuzzy Hash: 9E524A70204B508AE765CF35C0A87A3BBF1BF16309F54895DD0EA8B382D77DA509CB55

Function 00401000 Relevance: 1.8, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

/, xrefs: 00401396

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 99366c02946542bc186517ed4eb94a5d48fb1a995c784a48a55d23fe09246eb2
Instruction ID: e8deeecb93aaaa9436bc7c50b48a70d822c30eb13d0cfe0281f96441dd7ece4e
Opcode Fuzzy Hash: 99366c02946542bc186517ed4eb94a5d48fb1a995c784a48a55d23fe09246eb2
Instruction Fuzzy Hash: B012177140C3919BDB158E28C4913AB7FD29B92350F18897FE8D5AB3F2C23D8945D78A

Function 0041F3FD Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

TaH, xrefs: 0041F6CB

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: TaH
API String ID: 0-2417347642
Opcode ID: 5b86973df1b486412a4365bf3400b10059a3f8f486096a1b63d5135ce53ae8d2
Instruction ID: 5ce74c19dc13c8cfc29d1aee17a1f79b46338ffae588c98281eaa3d84f2bb6eb
Opcode Fuzzy Hash: 5b86973df1b486412a4365bf3400b10059a3f8f486096a1b63d5135ce53ae8d2
Instruction Fuzzy Hash: 0DE18AB0504B419FD320CF28C481B52BBE2BF59314F148B6ED4AA4BB92E739F44ACB54

Function 00410E43 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

b, xrefs: 00410E95

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: 9290a50bccac568a856e3de76278488ef3e7846cef2d07d93656f66f302889d6
Instruction ID: e4165f24884359248b5001b375dd16af44f0695ac9c5d8c6eb7107912fba4887
Opcode Fuzzy Hash: 9290a50bccac568a856e3de76278488ef3e7846cef2d07d93656f66f302889d6
Instruction Fuzzy Hash: 43416CB01007018BE718CF24C5A4757BBF2BF46308F08C45CD89A4BB86D7B9E819CB95

Function 00433458 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

$WH, xrefs: 00433458

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $WH
API String ID: 0-1308112159
Opcode ID: ff07fafbcb64e4dbec8ee2fb06162ccc5008aea93c71416dfb0cf98052e2f64c
Instruction ID: eaba2cd65facd31915807d51d36ca71fc7796c6bfe25c2e706542fcbc80e4904
Opcode Fuzzy Hash: ff07fafbcb64e4dbec8ee2fb06162ccc5008aea93c71416dfb0cf98052e2f64c
Instruction Fuzzy Hash: E4B0922CE480018B860CCF14D850479B23EBF973D8B6AB12AC10223636C2209456C90C

Function 00407B20 Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31971f4d6380977fc7eac421c415a41e0d26190d4cf17307f1ba65e36c26d59a
Instruction ID: 07a6c18f929ec054ab611a65b22034f4389f06a7d378097b8cbb4029302e576e
Opcode Fuzzy Hash: 31971f4d6380977fc7eac421c415a41e0d26190d4cf17307f1ba65e36c26d59a
Instruction Fuzzy Hash: B552C2315087128BC725DF18D58067AB3E1FFC4314F198A3ED9C6A7385EB39A855CB8A

Function 00403240 Relevance: .7, Instructions: 704COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7baeec879a51715a6fb99e628e73fbdf4d86138da3628f47ca06570b7d25ff8d
Instruction ID: d3d596e64fe5aaf16f46270e1ca1f40214ef4a0f5035b6d547cca3ddadfacf55
Opcode Fuzzy Hash: 7baeec879a51715a6fb99e628e73fbdf4d86138da3628f47ca06570b7d25ff8d
Instruction Fuzzy Hash: D7529A71608B418FC325CF29C08066BFBE5BF89305F148A6EE4DA97792D738EA45CB45

Function 00403C60 Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4674853348b518fe51280cf43b98534ea95c916aa7cf61aaa94c4cf91fed02c0
Instruction ID: 48324f430adcb02a9f072f594d160767e89fef8af2c9d0d2100ae14cf2c622d5
Opcode Fuzzy Hash: 4674853348b518fe51280cf43b98534ea95c916aa7cf61aaa94c4cf91fed02c0
Instruction Fuzzy Hash: A8426AB0614B518FC368CF28C58056ABBF1FF95310B608A2ED6979BB90D739F945CB18

Function 00405F30 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076beb7752143696acc8b69a1040e0566f21b35b270ddcacdee470e0fee06f8b
Instruction ID: 055bf2327ea2b70be3f427664b7a337a7c6c5f626e3e754f07ce211969309af7
Opcode Fuzzy Hash: 076beb7752143696acc8b69a1040e0566f21b35b270ddcacdee470e0fee06f8b
Instruction Fuzzy Hash: E802C635608350CFCB14CF19C88075BBBE6AFC9304F09846EE8899B396DB79D815CB96

Function 00422382 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9318731ec8ac89eb675802e40718612ac6da8c029f92f1e99a2ec412a01679
Instruction ID: 04c4832ac7164a43c352fe0f779f7a12e3d0e6ce0dc6103c7448c57aa41f2777
Opcode Fuzzy Hash: cf9318731ec8ac89eb675802e40718612ac6da8c029f92f1e99a2ec412a01679
Instruction Fuzzy Hash: 8CD1E270204B518BD3358F39D1943A3BBE2BF96304F588A5ED0EB8B386DB79A505CB54

Function 00413A27 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f2cc26890daa8189b96b810b99e95a5ba0b27fccc0beac7a0023a9e4fb69db
Instruction ID: 45962eb2decec1df715c021f7369d0b0b973fd81592691187958a152977faf35
Opcode Fuzzy Hash: f0f2cc26890daa8189b96b810b99e95a5ba0b27fccc0beac7a0023a9e4fb69db
Instruction Fuzzy Hash: 3ED1EF71108B408FD729CF25C0A13A2BBE2FF56311B194A5ED4D74BB95D339E986CB88

Function 0042EF80 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0564d9bcdf403d2e4839fd4c5ad673e14c5f1acf4c73d570165f63ae789460
Instruction ID: 6d9c8b9e748fcdea59a7b4f8d2797e5869a8a1c6b3449739a300939d64184ef7
Opcode Fuzzy Hash: bb0564d9bcdf403d2e4839fd4c5ad673e14c5f1acf4c73d570165f63ae789460
Instruction Fuzzy Hash: 70516CB16087548FE314DF29D89475BBBE1BBC4318F444A3EE4E987351E379DA088B86

Function 00432156 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb9e88ca9c4e1293fa784d621018e3444c1b9758284c9722dab37a4fea8c74a
Instruction ID: 1caa6a703d54519c89b5f4bfa3d8a5df902c3299b38047a4515c147995bcaaf8
Opcode Fuzzy Hash: deb9e88ca9c4e1293fa784d621018e3444c1b9758284c9722dab37a4fea8c74a
Instruction Fuzzy Hash: 7A515CB0900B008FD728DF29D95AB137BE5EB09314F11875CE9A68B7A2D374E444CBCA

Function 0040FDB0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae3cdc1a8909d95e7fbba672c885f52d80703272f9501adc06347a69e68e35e
Instruction ID: 30e6442998a3a44d6722a720f2c651c78d2dfb7d97cc19c6a14db8ee58dfab70
Opcode Fuzzy Hash: fae3cdc1a8909d95e7fbba672c885f52d80703272f9501adc06347a69e68e35e
Instruction Fuzzy Hash: EC41F9B22083504FE3189A3AC4A037ABBD2AFC9710F09863EF1E9873D1D6788549E755

Function 00417A8C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513684c1d86cb7e4d0c8697cb68479c75be5aaeb68b1b23c6aced5c0a04259ea
Instruction ID: 6629a41a025456f28dff0c440210363fa9ba3e205cfdaddc4f48fa14fcb1afb0
Opcode Fuzzy Hash: 513684c1d86cb7e4d0c8697cb68479c75be5aaeb68b1b23c6aced5c0a04259ea
Instruction Fuzzy Hash: 764168BA5142508BD750DF28ECD1A623BB0FF59324B04A53AF845EB3E1E338A980C75D

Function 00402E70 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b004cb2c4a6f1d0dc45651f8ac36cf1f05fa46ffd5eca07fb521ef7a88d7007
Instruction ID: 800d309dfbe3b792a961d651a3af81d9cdc07eef777c172838c488bd3b971425
Opcode Fuzzy Hash: 4b004cb2c4a6f1d0dc45651f8ac36cf1f05fa46ffd5eca07fb521ef7a88d7007
Instruction Fuzzy Hash: F72145717181B207D360CA398CC452777A3DBC721272D92B7DBC0D33D6C17AD806A298

Function 00434FB2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a0d51ecdb21380397ce5b78989964821fb794bc37cc94022c655011b96d591
Instruction ID: f376e0825e94ea2331c21c8896b3eb8f9b489db03b714074c4014fd88a4b0a01
Opcode Fuzzy Hash: 64a0d51ecdb21380397ce5b78989964821fb794bc37cc94022c655011b96d591
Instruction Fuzzy Hash: 40016D2280CB9C0AD3196970A8B1377BA965B8B294F09361EE5F95B1D2F51AD50446C8

Function 0042D620 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 8eaa9216552694f0a6efe99b3112ae4451f792994acd44972f5a6118374a637e
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 0B118A33F051E40EC3158D3C94005657FA34AD3635B69439AE4F8972D6D5268D8A8359

Function 00420D8E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dfa9a4884457dce4fc74b6033b7ce61d9fcfdd3f68719420741ff4c2a8110b
Instruction ID: 519d7a56c6b56333256d6c0668fc1d6874d7a947a6a0dc52ff8748bdd24eaad6
Opcode Fuzzy Hash: 75dfa9a4884457dce4fc74b6033b7ce61d9fcfdd3f68719420741ff4c2a8110b
Instruction Fuzzy Hash: 1F217270104BD08FD3668B28D8A07A7BBF0BF12306F4959AED0E7CB292D7286409CF14

Function 0041390E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Object$MetricsSelectSystem$Delete
String ID:
API String ID: 3299334569-0
Opcode ID: b2e239ff4e3ec89c166cf7a9e3997b749561d0047b92aaea6031bf0e23876ed0
Instruction ID: cce2ada2153569562c322a6337db7c046403c085858744b693d3a4ce488df618
Opcode Fuzzy Hash: b2e239ff4e3ec89c166cf7a9e3997b749561d0047b92aaea6031bf0e23876ed0
Instruction Fuzzy Hash: 65216AB16007408BEB15CF14C9D1B52B7F2AF46308F08886DD89A9B796DB78E905CB55

Function 004105BD Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d2b1cd7c574ec602404e23193f01f8c5e8e3fc1f893b6c7767cbb7704c00b1
Instruction ID: 75f145016c671befc23404dbc861ed4879f85f32f666120485f73330d3d1790d
Opcode Fuzzy Hash: 27d2b1cd7c574ec602404e23193f01f8c5e8e3fc1f893b6c7767cbb7704c00b1
Instruction Fuzzy Hash: 8D113674201B029BD7148F21CA64B27F7F6EF82704F14891DC45A5BB81C779F925CB88

Function 0041561D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7d422ba1a35d639b328539018ae243784b3c1143205dac9b9662b4e469a832
Instruction ID: b0bfe5d4de48fd99e7331d5f2a247961e7baddaa943f96647ce36a32244f5977
Opcode Fuzzy Hash: 9f7d422ba1a35d639b328539018ae243784b3c1143205dac9b9662b4e469a832
Instruction Fuzzy Hash: CB11F5B5508344AFC740DF24E48089FBBF1FB99358F84692DF889A7251D330D9918F4A

Function 004352C9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408c5df8bd425de925e479bc886196f4af41ff4cc65f312a68bee035edc5c1ec
Instruction ID: a84d78f813fee3adda7330d1a6ca53cd61c13742b07c7bc7353681767fb2d639
Opcode Fuzzy Hash: 408c5df8bd425de925e479bc886196f4af41ff4cc65f312a68bee035edc5c1ec
Instruction Fuzzy Hash: 28F05E35A193118BC749CF19D55063AFBF0AF86741F99586EF485D3340CB30DD059B4A

Function 00428009 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8818c2abf4ecc78f630fb9ea865fa7607d9193dbbcc83948b867971efb1357db
Instruction ID: ce485ebb93233df4bc7e8e3288d243df8de408af998be4bf21e4d091bf36e330
Opcode Fuzzy Hash: 8818c2abf4ecc78f630fb9ea865fa7607d9193dbbcc83948b867971efb1357db
Instruction Fuzzy Hash: DEF0547011D3C18FD316DF28C8146877BF1BB86304F54485ED485CB252C7B55908DB56

Function 0040D1C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2044051f06bb029c9e823812dcc2e061d3b89e47936c5c72b85e7b0847b4fd87
Instruction ID: 21b4a5b2d36639708a878ae6fdf5a4c74f651265d5738b3eb8c98cd9134a9d8a
Opcode Fuzzy Hash: 2044051f06bb029c9e823812dcc2e061d3b89e47936c5c72b85e7b0847b4fd87
Instruction Fuzzy Hash: 24D09770A083B00E87084D380460433FBE4E847212F0810AFF0C2F7284C634DC0452AC

Function 0040FA72 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25bc749fd17f88683fa8adf8193934d49525026852037a895d3829fff585e429
Instruction ID: df5b7e2b569f04db5f49db89617276ba6c7beaeda75e14a5596dd023a1867cdf
Opcode Fuzzy Hash: 25bc749fd17f88683fa8adf8193934d49525026852037a895d3829fff585e429
Instruction Fuzzy Hash: E0D0C921B680148B871C8F20DC20A7A72B6E7CEB04755643C8A03AB655DB2499168B8C

Function 0041CB43 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd689b4edf37a42a43b3fcc9b7e28963ac80fa34631fe5fcf31d13711efd50c6
Instruction ID: 9168cea3e2b344ec0e9888c1e6194936020cc1656f860627784ca2e01d039111
Opcode Fuzzy Hash: dd689b4edf37a42a43b3fcc9b7e28963ac80fa34631fe5fcf31d13711efd50c6
Instruction Fuzzy Hash: E1C08C21D500009BC105CF29BC4283273319B07208F00303CA893F3291EE54D41CCC0D

Function 0040FA7F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840822eb54daab1c8820f1ca977bb3fa982d50878fd3a026cbfd78508b2a16c8
Instruction ID: 54e6d1c3f3ba8806ee637ffe0cef45773103c76bb334e75210dbb34c4d509c28
Opcode Fuzzy Hash: 840822eb54daab1c8820f1ca977bb3fa982d50878fd3a026cbfd78508b2a16c8
Instruction Fuzzy Hash: 8EC08C34E1820087C34CCF04C880737B7B6EBCE304F107028DA021B312C320E8418A4C

Function 004119E7 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043d0fd37857779313936d78f70a5c40b06c8ed69d29ab11f6ab6b6594349452
Instruction ID: 3a12948dfbdfd68152cfbea5bb627fc3546c02fb5bd934d1994e8a45fb63d81d
Opcode Fuzzy Hash: 043d0fd37857779313936d78f70a5c40b06c8ed69d29ab11f6ab6b6594349452
Instruction Fuzzy Hash: F0C09B34F540404B860CCE10EC91575F377D357215714B435DA16D3755C734D4018D4C

Function 00434489 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb68f65190db135316a592940d69e2b01eaba8ed0c9d8953160d9140597cd99
Instruction ID: 777a6fc16b50d7c3721b87b258d1e782cde24941737e10d385237bf121344f5f
Opcode Fuzzy Hash: 1fb68f65190db135316a592940d69e2b01eaba8ed0c9d8953160d9140597cd99
Instruction Fuzzy Hash: E2B09238A890008B864DCF24EA51430A378DB17209B44343AB902F3262C564E402891C

Function 0041ADB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0041AECE
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0041AEFD

Strings

Me+c, xrefs: 0041AE68

Memory Dump Source

Source File: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Me+c
API String ID: 237503144-2767035324
Opcode ID: 63d4f08bbabbfdf3902aec2507fb5a840303fa89a4d933df12fc30f75bda29b6
Instruction ID: a13543ed3ffbf71520c79c386d50d5a7626435ce53941ad9e5994be13f31298b
Opcode Fuzzy Hash: 63d4f08bbabbfdf3902aec2507fb5a840303fa89a4d933df12fc30f75bda29b6
Instruction Fuzzy Hash: C25140B0109341AFD314CF14D880B9BBBE6EBC6354F108A2DF8A91B295D774E9458B96

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_96.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_96.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
LisectAVT_2403002A_96.exe

Function 02AD5429 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Function 01062B36 Relevance: 1.7, APIs: 1, Instructions: 180
COMMON

Function 01062838 Relevance: 1.7, APIs: 1, Instructions: 165
COMMON

Function 0106291A Relevance: 1.7, APIs: 1, Instructions: 162
COMMON

Function 0106276E Relevance: 1.7, APIs: 1, Instructions: 160
COMMON

Function 01062A2B Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 010628C0 Relevance: 1.7, APIs: 1, Instructions: 153
COMMON

Function 0106281F Relevance: 1.7, APIs: 1, Instructions: 151
COMMON

Function 010627BD Relevance: 1.6, APIs: 1, Instructions: 149
COMMON

Function 01062EA3 Relevance: 1.6, APIs: 1, Instructions: 148
COMMON

Function 01062E0E Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Function 01063129 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 01063130 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Function 01062F90 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 004324B2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
nativememoryCOMMON

Function 00435440 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
nativememoryCOMMON

Function 00432987 Relevance: 6.2, APIs: 4, Instructions: 157
nativememoryCOMMON

Function 00432C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
nativeCOMMON

Function 0043286A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
nativeCOMMON

Function 00414280 Relevance: 3.1, APIs: 2, Instructions: 77
nativememoryCOMMON

Function 004327F1 Relevance: 1.5, APIs: 1, Instructions: 29
nativeCOMMON