Edit tour

Windows Analysis Report
3vLKNycnrz.exe

Overview

General Information

Sample name:	3vLKNycnrz.exe renamed because original name is a hash value
Original sample name:	78b4d3e1df367155161b0ca24d08b157.exe
Analysis ID:	1581190
MD5:	78b4d3e1df367155161b0ca24d08b157
SHA1:	e0b63eb3c6858c7cb8e3754b67264b8a861b1d86
SHA256:	10c9f5d51b36a62a32560a1e9912a28c781f9723fa23c2f778a86e8e94aef2fb
Tags:	exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

3vLKNycnrz.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\3vLKNycnrz.exe" MD5: 78B4D3E1DF367155161B0CA24D08B157)

3vLKNycnrz.exe (PID: 7452 cmdline: "C:\Users\user\Desktop\3vLKNycnrz.exe" MD5: 78B4D3E1DF367155161B0CA24D08B157)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["sordid-snaked.cyou", "effecterectz.xyz", "awake-weaves.cyou", "debonairnukk.xyz", "peelyitemsn.click", "immureprech.biz", "deafeninggeh.biz", "diffuculttan.xyz", "wrathful-jammy.cyou"], "Build id": "Lb9dkQ--Jora"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1430982949.0000000006240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 3vLKNycnrz.exe PID: 7360	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 3vLKNycnrz.exe PID: 7360	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.3vLKNycnrz.exe.6240000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.3vLKNycnrz.exe.47d16e0.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.3vLKNycnrz.exe.45cf2a0.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:13:07.399283+0100	2028371	3	Unknown Traffic	192.168.2.8	49706	104.21.62.151	443	TCP
2024-12-27T08:13:09.017586+0100	2028371	3	Unknown Traffic	192.168.2.8	49707	104.21.62.151	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:13:08.134997+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49706	104.21.62.151	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:13:08.134997+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49706	104.21.62.151	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["sordid-snaked.cyou", "effecterectz.xyz", "awake-weaves.cyou", "debonairnukk.xyz", "peelyitemsn.click", "immureprech.biz", "deafeninggeh.biz", "diffuculttan.xyz", "wrathful-jammy.cyou"], "Build id": "Lb9dkQ--Jora"}

Multi AV Scanner detection for submitted file

Source: 3vLKNycnrz.exe	ReversingLabs: Detection: 52%
Source: 3vLKNycnrz.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 3vLKNycnrz.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: peelyitemsn.click
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Lb9dkQ--Jora

Source: 3vLKNycnrz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.62.151:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: 3vLKNycnrz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+499B7F50h]	2_2_0043A320
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 2DA07A80h	2_2_0043CCE0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov edx, dword ptr [ebp-1Ch]	2_2_0040BD61
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-17h]	2_2_00427040
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx eax, byte ptr [edi+ecx]	2_2_0040D076
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_00429820
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov edx, eax	2_2_004230D0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov ecx, eax	2_2_004230D0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov esi, dword ptr [ebp-00000084h]	2_2_004230D0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov word ptr [edi], ax	2_2_0043A8FB
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then xor eax, eax	2_2_0041709A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov ecx, eax	2_2_0043D8A0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041895F
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041895F
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041895F
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov ecx, eax	2_2_00428160
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-01EDEA17h]	2_2_0042A96A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042A972
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-01EDEA17h]	2_2_0042A972
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax+2C9B826Eh]	2_2_0040D1C7
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov ecx, eax	2_2_0040D1C7
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+eax-04h]	2_2_0041F990
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then jmp eax	2_2_0041CA02
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then jmp eax	2_2_0041CA19
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi-403FDF06h]	2_2_00408230
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+02h]	2_2_004212C0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh	2_2_0040E2CF
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07C7E146h]	2_2_004162D6
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_004142E0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00432A90
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 71B3F069h	2_2_0043CA90
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	2_2_00439340
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+07C7DE9Eh]	2_2_00439340
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], A2347758h	2_2_00439340
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_00429360
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], 5E874B5Fh	2_2_00438B00
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then push edi	2_2_004263C1
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+14h]	2_2_0043B3E5
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov edx, ecx	2_2_004223EF
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov edx, eax	2_2_00423386
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov ecx, eax	2_2_00423386
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+07C7DE9Eh]	2_2_0040E39C
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov edi, dword ptr [esp+44h]	2_2_00427C3A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	2_2_0042843A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+07C7DE9Eh]	2_2_0040E39C
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+526FD95Bh]	2_2_00435CA0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh	2_2_0040D555
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov edi, ecx	2_2_00422D70
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov edx, eax	2_2_00422D70
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov ecx, eax	2_2_00422D70
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00428D00
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then jmp edx	2_2_0043BD10
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then jmp eax	2_2_0040A539
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov ecx, eax	2_2_00415538
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+esi-5Eh]	2_2_004365C0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov edx, eax	2_2_0041C5E0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov word ptr [edi], ax	2_2_0041C5E0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_00414DB0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+06h]	2_2_00408E70
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6592EC84h]	2_2_00426608
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], C7235EAFh	2_2_0043CE10
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then lea ecx, dword ptr [eax-67528DC7h]	2_2_00426E19
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+07C7DEA2h]	2_2_00419620
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov word ptr [edx], ax	2_2_0040C6E5
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+55636BF6h]	2_2_0040C6E5
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00429EF8
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then push edi	2_2_0040DE8A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh	2_2_00438EB0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh	2_2_0040CF45
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], E785F9BAh	2_2_00438F60
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-62h]	2_2_00414713
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov edi, dword ptr [esp+08h]	2_2_00414713
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov eax, 00000001h	2_2_00414713
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041B7C6
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov esi, edx	2_2_0042B7AD
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then mov ecx, eax	2_2_0042B7AD
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 705FAB68h	2_2_0040D7B4
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+07C7DE9Eh]	2_2_0040D7B4
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh	2_2_0040D7B4

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49706 -> 104.21.62.151:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 104.21.62.151:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: peelyitemsn.click
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.62.151:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.62.151:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: peelyitemsn.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: peelyitemsn.click

Source: unknown

Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peelyitemsn.click/
Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peelyitemsn.click/.
Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peelyitemsn.click/C
Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000002.00000002.1443006164.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peelyitemsn.click/api
Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peelyitemsn.click/api6
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 104.21.62.151:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Code function: 2_2_00430740 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00430740

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Code function: 2_2_00430740 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00430740

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_03292B30 NtQueryInformationProcess,		0_2_03292B30
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_03292B29 NtQueryInformationProcess,		0_2_03292B29

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_032975F0	0_2_032975F0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_03293A28	0_2_03293A28
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_0609A678	0_2_0609A678
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06099430	0_2_06099430
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_0609BFDB	0_2_0609BFDB
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06095659	0_2_06095659
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06095668	0_2_06095668
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_0609A66A	0_2_0609A66A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06095667	0_2_06095667
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06095081	0_2_06095081
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_060950AF	0_2_060950AF
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_060950C0	0_2_060950C0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06095BEA	0_2_06095BEA
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06095BF8	0_2_06095BF8
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06C8E758	0_2_06C8E758
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06C70040	0_2_06C70040
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06C70007	0_2_06C70007
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0040A970	2_2_0040A970
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0040CAAA	2_2_0040CAAA
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00408620	2_2_00408620
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0040B63E	2_2_0040B63E
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00422040	2_2_00422040
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00408850	2_2_00408850
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00436850	2_2_00436850
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00416856	2_2_00416856
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043C060	2_2_0043C060
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00425070	2_2_00425070
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00422022	2_2_00422022
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043D030	2_2_0043D030
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004370C2	2_2_004370C2
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004350C0	2_2_004350C0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004230D0	2_2_004230D0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041709A	2_2_0041709A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043D8A0	2_2_0043D8A0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00403940	2_2_00403940
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041895F	2_2_0041895F
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042A96A	2_2_0042A96A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00405970	2_2_00405970
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00417971	2_2_00417971
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042A972	2_2_0042A972
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042717D	2_2_0042717D
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00409100	2_2_00409100
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00435930	2_2_00435930
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043C130	2_2_0043C130
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0040D1C7	2_2_0040D1C7
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042B9CD	2_2_0042B9CD
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004061D0	2_2_004061D0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042698C	2_2_0042698C
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041F990	2_2_0041F990
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004219A3	2_2_004219A3
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004249BC	2_2_004249BC
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041BF2B	2_2_0041BF2B
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00422250	2_2_00422250
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004342C3	2_2_004342C3
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004212C0	2_2_004212C0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004162D6	2_2_004162D6
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004142E0	2_2_004142E0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_004042F0	2_2_004042F0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00417AFA	2_2_00417AFA
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00434A93	2_2_00434A93
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043D2B0	2_2_0043D2B0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042BABA	2_2_0042BABA
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00439340	2_2_00439340
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00411357	2_2_00411357
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042335E	2_2_0042335E
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041BB70	2_2_0041BB70
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042BB03	2_2_0042BB03
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00438B00	2_2_00438B00
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042BB12	2_2_0042BB12
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00435320	2_2_00435320
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00423386	2_2_00423386
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00402BA0	2_2_00402BA0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00407440	2_2_00407440
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00416C7C	2_2_00416C7C
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00404C20	2_2_00404C20
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00421CCF	2_2_00421CCF
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00427CD4	2_2_00427CD4
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043C490	2_2_0043C490
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00435CA0	2_2_00435CA0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00409560	2_2_00409560
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00422D70	2_2_00422D70
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043BD10	2_2_0043BD10
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041E520	2_2_0041E520
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00415538	2_2_00415538
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00425DC1	2_2_00425DC1
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041CDF0	2_2_0041CDF0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00420590	2_2_00420590
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043D590	2_2_0043D590
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041D5A0	2_2_0041D5A0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00417DA0	2_2_00417DA0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00406660	2_2_00406660
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00408E70	2_2_00408E70
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043BE00	2_2_0043BE00
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00419620	2_2_00419620
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042262A	2_2_0042262A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00405E30	2_2_00405E30
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042A63F	2_2_0042A63F
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042CECB	2_2_0042CECB
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00420EE0	2_2_00420EE0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00411E90	2_2_00411E90
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042A69A	2_2_0042A69A
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0040AEB0	2_2_0040AEB0
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00402F40	2_2_00402F40
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00438F60	2_2_00438F60
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041077E	2_2_0041077E
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00414713	2_2_00414713
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0041BF2B	2_2_0041BF2B
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0042673E	2_2_0042673E
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00408780	2_2_00408780
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043B781	2_2_0043B781
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00433798	2_2_00433798
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043BFA0	2_2_0043BFA0

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: String function: 004142D0 appears 70 times
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: String function: 00407F20 appears 53 times

Source: 3vLKNycnrz.exe, 00000000.00000002.1429651490.0000000005F50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLcgkqdml.dll" vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000002.1403828044.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000000.1385787272.00000000010DA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameldr.exe( vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLcgkqdml.dll" vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3vLKNycnrz.exe
Source: 3vLKNycnrz.exe	Binary or memory string: OriginalFilenameldr.exe( vs 3vLKNycnrz.exe

Source: 3vLKNycnrz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3vLKNycnrz.exe, avl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3vLKNycnrz.exe, atr.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 3vLKNycnrz.exe, auk.cs

Base64 encoded string: 'xGXeA0tmuU7IEUJu9GjEGEAl1m/eEkNp+2WWMEt/0nLZBVdK5G/IGkxn7ifKElpU0WnBG2Bq+nmWGF5U3nLIBltq+3XZDhVs8mjyO0tl8GjFTGlu40jUB0tN5XPAP09l83DITElu40PjFkNurFXDE0tz2HqWJUtq80/ZBUdl8CfsE0ow8HnZKH5k5HXZHkFlrHvIA3FI4m7fEkB/03PAFkdlrE/IA2pq432WRRk8oiSWNl148nHPG1dY8m7bElwwxHXAB0Ju1m/eEkNp+2XoD15n+G7IBRVp9n7IG1hmrG/AGEVu43neAw=='

Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Code function: 2_2_0042CAFB CoCreateInstance,

2_2_0042CAFB

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Mutant created: \Sessions\1\BaseNamedObjects\Gaxvawd

Source: 3vLKNycnrz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3vLKNycnrz.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3vLKNycnrz.exe	ReversingLabs: Detection: 52%
Source: 3vLKNycnrz.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

File read: C:\Users\user\Desktop\3vLKNycnrz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3vLKNycnrz.exe "C:\Users\user\Desktop\3vLKNycnrz.exe"
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process created: C:\Users\user\Desktop\3vLKNycnrz.exe "C:\Users\user\Desktop\3vLKNycnrz.exe"
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process created: C:\Users\user\Desktop\3vLKNycnrz.exe "C:\Users\user\Desktop\3vLKNycnrz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 3vLKNycnrz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3vLKNycnrz.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 3vLKNycnrz.exe

Static file information: File size 3635712 > 1048576

Source: 3vLKNycnrz.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x377000

Source: 3vLKNycnrz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431795732.0000000006370000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.3vLKNycnrz.exe.4fb8558.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.3vLKNycnrz.exe.62d0000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.3vLKNycnrz.exe.6240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3vLKNycnrz.exe.47d16e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3vLKNycnrz.exe.45cf2a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1430982949.0000000006240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3vLKNycnrz.exe PID: 7360, type: MEMORYSTR

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_0329C478 pushad ; retf	0_2_0329C479
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 0_2_06C76DAE push ss; ret	0_2_06C76DAF
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0044183C push cs; retf	2_2_0044184D
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00442A54 push eax; retn 0041h	2_2_00442A55
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_0043BCA0 push eax; mov dword ptr [esp], 1D1C1BCAh	2_2_0043BCA2
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00441E88 push esi; ret	2_2_00441E89
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Code function: 2_2_00438EB0 push eax; mov dword ptr [esp], 6A6B6C6Dh	2_2_00438EBF

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 3vLKNycnrz.exe PID: 7360, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Memory allocated: 3460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\3vLKNycnrz.exe TID: 7484

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: 3vLKNycnrz.exe, 00000002.00000002.1443006164.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@mD
Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: 3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Code function: 0_2_03291320 CheckRemoteDebuggerPresent,

0_2_03291320

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Code function: 2_2_0043A5B0 LdrInitializeThunk,

2_2_0043A5B0

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: debonairnukk.xyz
Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diffuculttan.xyz
Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: effecterectz.xyz
Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: deafeninggeh.biz
Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: immureprech.biz
Source: 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: peelyitemsn.click

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Process created: C:\Users\user\Desktop\3vLKNycnrz.exe "C:\Users\user\Desktop\3vLKNycnrz.exe"

Jump to behavior

Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Queries volume information: C:\Users\user\Desktop\3vLKNycnrz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3vLKNycnrz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3vLKNycnrz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	3 Virtualization/Sandbox Evasion	OS Credential Dumping	211 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Deobfuscate/Decode Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3vLKNycnrz.exe	57%	Virustotal		Browse
3vLKNycnrz.exe	53%	ReversingLabs	Win32.Trojan.Lumma
3vLKNycnrz.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://peelyitemsn.click/api	0%	Avira URL Cloud	safe
https://peelyitemsn.click/C	0%	Avira URL Cloud	safe
https://peelyitemsn.click/api6	0%	Avira URL Cloud	safe
https://peelyitemsn.click/	0%	Avira URL Cloud	safe
https://peelyitemsn.click/.	0%	Avira URL Cloud	safe
peelyitemsn.click	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
peelyitemsn.click	104.21.62.151	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://peelyitemsn.click/api	true	Avira URL Cloud: safe	unknown
sordid-snaked.cyou	false		high
diffuculttan.xyz	false		high
effecterectz.xyz	false		high
peelyitemsn.click	true	Avira URL Cloud: safe	unknown
awake-weaves.cyou	false		high
immureprech.biz	false		high
wrathful-jammy.cyou	false		high
deafeninggeh.biz	false		high
debonairnukk.xyz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://peelyitemsn.click/C	3vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://peelyitemsn.click/api6	3vLKNycnrz.exe, 00000002.00000002.1443084110.000000000140F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000048C2000.00000004.00000800.00020000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1431335377.00000000062D0000.00000004.08000000.00040000.00000000.sdmp, 3vLKNycnrz.exe, 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	3vLKNycnrz.exe, 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp	false		high
https://peelyitemsn.click/	3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peelyitemsn.click/.	3vLKNycnrz.exe, 00000002.00000002.1443084110.0000000001437000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.62.151	peelyitemsn.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581190
Start date and time:	2024-12-27 08:12:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3vLKNycnrz.exe renamed because original name is a hash value
Original Sample Name:	78b4d3e1df367155161b0ca24d08b157.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 95 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:13:07	API Interceptor	1x Sleep call for process: 3vLKNycnrz.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.62.151	appbase.dll	Get hash	malicious	Unknown	Browse
104.21.62.151	Xerox-6509.dll	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	installer.bat	Get hash	malicious	Vidar	Browse	172.64.41.3
	skript.bat	Get hash	malicious	Vidar	Browse	162.159.61.3
	din.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	lem.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	markiz.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	utkin.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	0Gs0WEGB1E.dll	Get hash	malicious	Unknown	Browse	104.21.22.88
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.192

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.21.62.151
	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	104.21.62.151
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.62.151
	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	104.21.62.151
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	104.21.62.151
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	104.21.62.151
	0zBsv1tnt4.exe	Get hash	malicious	LummaC	Browse	104.21.62.151
	cqHMm0ykDG.exe	Get hash	malicious	LummaC	Browse	104.21.62.151
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	104.21.62.151
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	104.21.62.151

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.807765755196678
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	3vLKNycnrz.exe
File size:	3'635'712 bytes
MD5:	78b4d3e1df367155161b0ca24d08b157
SHA1:	e0b63eb3c6858c7cb8e3754b67264b8a861b1d86
SHA256:	10c9f5d51b36a62a32560a1e9912a28c781f9723fa23c2f778a86e8e94aef2fb
SHA512:	d78bbd14cfd7b6af5f13e8d40072963d36a2d9059e586d3837e476f25d458056d44ff3a25713139f83d7f550861c213dc9ac7a1e18335069f10d656380ed4a06
SSDEEP:	98304:E3CrFD9UPyyHBhwPFiVupq1ME+2KPv193iD:E38B948FB6M2KHji
TLSH:	A2F5F1B4AFEC9FC4E77C667EC3E128355139905818B7E32729485ABC0549BB0E38D61E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2ag.................p7...........7.. ........@.. ........................7...........`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x778dfe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6761321C [Tue Dec 17 08:11:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
aaa
test dword ptr [ecx], ebx
rol byte ptr [eax], 1
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x378dac	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37a000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x37c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x376e08	0x377000	2c7f957da1b8f2dbce38b2a8835b1272	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x37a000	0x600	0x600	9edb7b38ba1086eb179db3a2760060de	False	0.408203125	data	3.986737529851491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x37c000	0xc	0x200	4304d922d1d1d01b3bcd855cce4612af	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x37a0a0	0x2ec	data			0.4344919786096257
RT_MANIFEST	0x37a38c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T08:13:07.399283+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49706	104.21.62.151	443	TCP
2024-12-27T08:13:08.134997+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49706	104.21.62.151	443	TCP
2024-12-27T08:13:08.134997+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49706	104.21.62.151	443	TCP
2024-12-27T08:13:09.017586+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49707	104.21.62.151	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:13:05.765031099 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:05.765065908 CET	443	49706	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:05.765147924 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:05.771680117 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:05.771692038 CET	443	49706	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:07.399205923 CET	443	49706	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:07.399282932 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:07.402235985 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:07.402241945 CET	443	49706	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:07.402578115 CET	443	49706	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:07.446098089 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:07.455682039 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:07.455781937 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:07.455791950 CET	443	49706	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:08.134979010 CET	443	49706	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:08.135082006 CET	443	49706	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:08.135171890 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:08.137268066 CET	49706	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:08.137281895 CET	443	49706	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:08.148371935 CET	49707	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:08.148425102 CET	443	49707	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:08.148494959 CET	49707	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:08.148742914 CET	49707	443	192.168.2.8	104.21.62.151
Dec 27, 2024 08:13:08.148761988 CET	443	49707	104.21.62.151	192.168.2.8
Dec 27, 2024 08:13:09.017585993 CET	49707	443	192.168.2.8	104.21.62.151

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:13:05.187879086 CET	51779	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:13:05.507018089 CET	53	51779	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 08:13:05.187879086 CET	192.168.2.8	1.1.1.1	0xecf	Standard query (0)	peelyitemsn.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 08:13:05.507018089 CET	1.1.1.1	192.168.2.8	0xecf	No error (0)	peelyitemsn.click		104.21.62.151	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:13:05.507018089 CET	1.1.1.1	192.168.2.8	0xecf	No error (0)	peelyitemsn.click		172.67.136.183	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

peelyitemsn.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	104.21.62.151	443	7452	C:\Users\user\Desktop\3vLKNycnrz.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:13:07 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: peelyitemsn.click
2024-12-27 07:13:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 07:13:08 UTC	1132	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:13:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bkeu8p46g8asfgmahjtgh0o5m2; expires=Tue, 22 Apr 2025 00:59:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uw%2FRRdMdeQWGANOH1CqeikSMujYeiosfNhdEJmYdKGqQUaPHPtRF4zFOO%2BWDS9%2BqyicB7doA2yjZfLHax2M3TlCcK8m%2FAmkU00MuMjFqT1175HGiIyqmT644oU5LGyRIUGL73g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f878196ff9841c6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1698&rtt_var=647&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=908&delivery_rate=1678160&cwnd=204&unsent_bytes=0&cid=eed846db26c4af20&ts=1110&x=0"
2024-12-27 07:13:08 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 07:13:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:13:02
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\3vLKNycnrz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3vLKNycnrz.exe"
Imagebase:	0xd60000
File size:	3'635'712 bytes
MD5 hash:	78B4D3E1DF367155161B0CA24D08B157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1430982949.0000000006240000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1411982462.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1420534008.00000000044C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:13:03
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\3vLKNycnrz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3vLKNycnrz.exe"
Imagebase:	0xb10000
File size:	3'635'712 bytes
MD5 hash:	78B4D3E1DF367155161B0CA24D08B157
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	22.9%
Total number of Nodes:	48
Total number of Limit Nodes:	2

Executed Functions

Function 0609A678 Relevance: 2.6, Strings: 1, Instructions: 1335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 0609B656

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 65a82027daf4801640a1d885538c50d7f2c8df6a27062d0c07732b859e7c08f9
Instruction ID: 1efd07c3f49b3bb234c80a25b0f2cf9078b6aaaec64b57d382fa29c701ca1a4c
Opcode Fuzzy Hash: 65a82027daf4801640a1d885538c50d7f2c8df6a27062d0c07732b859e7c08f9
Instruction Fuzzy Hash: 53E2B074A01629CFDB64DF68D884B9EBBB6FB88311F1081EAD509A7354DB349E81CF50

Function 06099430 Relevance: 2.2, Strings: 1, Instructions: 956
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{-!Q, xrefs: 0609980D

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: {-!Q
API String ID: 0-1025268147
Opcode ID: 5d72bf474a6477be718cb04e2d52a55a493c89dee3541b3fc2d4eb9a16b7ccac
Instruction ID: 28f05403953cbf3d73b78acbf817ac165b78d82e83bc2dbe1b60a3d642801733
Opcode Fuzzy Hash: 5d72bf474a6477be718cb04e2d52a55a493c89dee3541b3fc2d4eb9a16b7ccac
Instruction Fuzzy Hash: 84A29375A00628CFDB65CF69C984AD9BBB2FF89300F1581D9E509AB321DB319E81DF50

Function 03291320 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 032913F7

Memory Dump Source

Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 09213191c689f5a2bc70a3147c01d069cc96d50e0340eeb30f831ccda65e5196
Instruction ID: dd17960e575a53eeb93273c9de13ba3a6ef24f7218cfb318b897d4e15df7f09f
Opcode Fuzzy Hash: 09213191c689f5a2bc70a3147c01d069cc96d50e0340eeb30f831ccda65e5196
Instruction Fuzzy Hash: B931E13190034ACFDB14DF6AC4407AEBBF8EF48310F24846ED459AB640CB39A986CB94

Function 03292B29 Relevance: 1.6, APIs: 1, Instructions: 61
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 03292BB0

Memory Dump Source

Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 019b50b194cb9440b1949a27c96550395992abd6870d161a20a9f91ad7735b0b
Instruction ID: f1b2fcfa83621f2461fd815ec625979e3e70464b26f3d9fd37e19cfdb0c1b78d
Opcode Fuzzy Hash: 019b50b194cb9440b1949a27c96550395992abd6870d161a20a9f91ad7735b0b
Instruction Fuzzy Hash: 6A21E2B19013499FDF10DFAAD884ADEFBF5FF88310F14882AE919A7250C7759954CBA0

Function 03292B30 Relevance: 1.6, APIs: 1, Instructions: 60
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 03292BB0

Memory Dump Source

Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 20364565e077aae221805161e8038debf50ffc69601492ffcf287c065815c617
Instruction ID: ccceab54f254e6207d4182c23844be40018b2dc57b4028bf35981cb88c7e4729
Opcode Fuzzy Hash: 20364565e077aae221805161e8038debf50ffc69601492ffcf287c065815c617
Instruction Fuzzy Hash: A521E2B19003499FDB10DFAAD884A9EFBF5FF88310F10882AE919A7250C7759950CBA0

Function 03293A28 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc85ab3c188dece98465aa29c0abc85198e06ff74050045030f653829389bd8
Instruction ID: 5dd027cc054215193dd41441e279a765f7dc313d157a0cfd9680a58a34881db0
Opcode Fuzzy Hash: 4bc85ab3c188dece98465aa29c0abc85198e06ff74050045030f653829389bd8
Instruction Fuzzy Hash: 8E6219B0921205CFFB20DF4AE988A99BBF1FB50309F49C19AD4155F262C3B9E895CF51

Function 0609BFDB Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3150793bd52341c97b623b5f2d9d72de88916000fd8a317776f09e91006f455c
Instruction ID: b2a9b3c8a5e6c84b850f9c1ce14c67a4d7404d3f585ba2413bdabdac7fda8b27
Opcode Fuzzy Hash: 3150793bd52341c97b623b5f2d9d72de88916000fd8a317776f09e91006f455c
Instruction Fuzzy Hash: 64529474A006298FDBA4DF28CD84B9ABBB2FB88311F5081D9D50DA7355DB30AE81CF55

Function 032975F0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c52243a7d60910f874b3c3d37b091c2dad8d0adb4e0bc5b6d147ed55afdeb6
Instruction ID: 7df1d88a96bb72b1c1f8bd9db8682a8e69656804f69bd457af1589206d61b428
Opcode Fuzzy Hash: 43c52243a7d60910f874b3c3d37b091c2dad8d0adb4e0bc5b6d147ed55afdeb6
Instruction Fuzzy Hash: 75F17C35A342058FEB15DB6CC890AAAB7F6FF89300F1585AAD406DB361DB71EC81CB51

Function 0609A66A Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ce4700831df6f7c094510dbc1288cc8c9be73f4684f8bf8992c68a286af9ed
Instruction ID: 156563fe25d9e38b58f44bafe48a66698af71c1b6f98a2619ef8ea257404c626
Opcode Fuzzy Hash: f3ce4700831df6f7c094510dbc1288cc8c9be73f4684f8bf8992c68a286af9ed
Instruction Fuzzy Hash: 93519871E01A188BEB58CF6BDD4469AFAF3BFC8305F14C1AAD408AA254EB745981CF50

Function 03291378 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 032913F7

Memory Dump Source

Source File: 00000000.00000002.1410716253.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_3vLKNycnrz.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 656b64bb48a6c3597d15bd9bfa8b3eaf3695e1367a88a39143e87107ce3b243a
Instruction ID: 8d538a18430d5d2dad7ffc393e39a448b4a74abd83b282ad994b0a3c00feac70
Opcode Fuzzy Hash: 656b64bb48a6c3597d15bd9bfa8b3eaf3695e1367a88a39143e87107ce3b243a
Instruction Fuzzy Hash: 90215C7190034A8FDB14DFAAD4457EEBBF5AF88320F14842ED456A7290C7389A45DFA0

Function 06095440 Relevance: 1.3, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

g05, xrefs: 0609549A

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: g05
API String ID: 0-992802407
Opcode ID: 0ec0e74a97ae46bcdcd11136383a4ec7fa346dd42137bd187dfbd2e3f4b19a0d
Instruction ID: 560f454df55c7de7caa442b1f00bb50c355864882bc83593ce154e27dba11d71
Opcode Fuzzy Hash: 0ec0e74a97ae46bcdcd11136383a4ec7fa346dd42137bd187dfbd2e3f4b19a0d
Instruction Fuzzy Hash: 8A01442014A3D16FE30B4A385C11AB37F75EFC775075981EBE486CB1A3D9580D4B97A2

Function 059F2D88 Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de03c853ebe5969d42fc21dd97eece4edefd57330208d101324c4bc8e8bc2da2
Instruction ID: 5d55a0e44e21f0be6a93bc29751eb2da4b519d656a5df45332006fa2c999737f
Opcode Fuzzy Hash: de03c853ebe5969d42fc21dd97eece4edefd57330208d101324c4bc8e8bc2da2
Instruction Fuzzy Hash: B442A634E0420ACFDF15DB99D494AFEBBB6FB88301F50881ADA16A7394C7385982CF51

Function 059F38B0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc85e8c4827f96af0d2c7096064b1f171e5aef0a821afd6d1f20983848c256b
Instruction ID: 206ba5c0a525847940213f2a08acd18de912cef1c015822f4b1594aab5e55c55
Opcode Fuzzy Hash: 7fc85e8c4827f96af0d2c7096064b1f171e5aef0a821afd6d1f20983848c256b
Instruction Fuzzy Hash: A6F1D434D05208DFCB54DFA9E898ABCBBB6FF49315F60486AE506A7350CB356985CF10

Function 059F3588 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217b0cf7c6048bcae2b921c4be89869368cc4a4e185b70f367cd5b09372630f3
Instruction ID: 1eeb8d5eaec5a30fac93ca9f46d39166d011e35619647bc7651486e55d50102e
Opcode Fuzzy Hash: 217b0cf7c6048bcae2b921c4be89869368cc4a4e185b70f367cd5b09372630f3
Instruction Fuzzy Hash: 41A1E474E05209DFCB18EFA9D454ABDBBB6FF88305F54882AE91267350CB385986CF50

Function 0609D230 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c81e5bb723f77b78defd775fcd24fe089fff40e5f3ddccc1ca3557f41fafa5
Instruction ID: b71eca3737d0446d2381865e4359de3a23d8fcdc21b87436982cd11bc0db5ab6
Opcode Fuzzy Hash: 59c81e5bb723f77b78defd775fcd24fe089fff40e5f3ddccc1ca3557f41fafa5
Instruction Fuzzy Hash: C3610474E05209DFDB44DFA8D888AAEBBB2FF99310F50802AD505AB394DB349D45CF91

Function 0609D240 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443573ba44d1f4d4a635971b061c4689779662e45fc6aa6273cc9c145392776d
Instruction ID: 60631818224fe7f0988abe3cc3b60ead569a1efb4682c47b203efa6efc309cbd
Opcode Fuzzy Hash: 443573ba44d1f4d4a635971b061c4689779662e45fc6aa6273cc9c145392776d
Instruction Fuzzy Hash: A6610374E40209DFDB44DFA8D8886AEBBB2FB98310F50802AD509AB394DB349D45CF91

Function 059F0878 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ec40a2739f1de40bc21396673042304b76da82245700cab56d3f56a24583ab
Instruction ID: 7b261139446556a615a125258a004be32dba50cb694a262b6a2cf6cb645a95bb
Opcode Fuzzy Hash: d0ec40a2739f1de40bc21396673042304b76da82245700cab56d3f56a24583ab
Instruction Fuzzy Hash: 34411C74A24105CFEB14DBB8E85D2BDBBB7BB88751F14452AE907E3382DF3488818B51

Function 06099270 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546b2d01ede1f2160208f108db8a6aa588ef3b965316e69a01c321f131583ff4
Instruction ID: 7beb44e35ddea50279cce2b9d9786a42dbb716bb2644e26510c1249c605e87a6
Opcode Fuzzy Hash: 546b2d01ede1f2160208f108db8a6aa588ef3b965316e69a01c321f131583ff4
Instruction Fuzzy Hash: 143156B4D452098FEB84DFA9C8443EEBFF6FB89310F14846AD555A7381EB344981CBA1

Function 06095518 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92fbebc052a5ba4ec9297062b18b7495220c82f0a9d0eaea8a6ee60ca16cf9c
Instruction ID: 6f073caf46eacf181bfb9ed9a8a03565c11bac0c3e9364791749be70137876db
Opcode Fuzzy Hash: a92fbebc052a5ba4ec9297062b18b7495220c82f0a9d0eaea8a6ee60ca16cf9c
Instruction Fuzzy Hash: 9E313CB0942205DFEB86EFA9C8487AEBFF3FF48300F9480AAE41597251D7344985CB51

Function 06C8B7F0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffb4eeed84a42736258354834013f708c1526998e505c4f96907bbac602935f
Instruction ID: 4e720f5aa62444f5a1cc22a7873d49451ec031b89e29977771d6a515fbb848c7
Opcode Fuzzy Hash: 9ffb4eeed84a42736258354834013f708c1526998e505c4f96907bbac602935f
Instruction Fuzzy Hash: DB314670E0520A8FEB60DFA9C4886EEBBF1FB49318F14802AD509A7340D7719E84CB91

Function 059F2D6D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cba8210b0c0f34f5e72c244cd70c585c08186fbe16c7c9b56bcaf8f8e749f1
Instruction ID: 8eb36042c85390094851ec2d58a153cda2590843e0b872315a0d208a13971c85
Opcode Fuzzy Hash: e3cba8210b0c0f34f5e72c244cd70c585c08186fbe16c7c9b56bcaf8f8e749f1
Instruction Fuzzy Hash: AE310834D0820ACFDF19CFA9D8147FEBBB2BB85301F10846AD115AB291C7385A85CF91

Function 06095528 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da5805b4892d00a36184a26e7f02bfc83cc3b13de108da525e0077849c29908
Instruction ID: 0f888e079159c2d4dd37c8e30c301f80192493390863cb92bcc1b3d9f6434097
Opcode Fuzzy Hash: 1da5805b4892d00a36184a26e7f02bfc83cc3b13de108da525e0077849c29908
Instruction Fuzzy Hash: C63136B0D42209DFEB86EFA9C8487ADBFF3EB48300F9080A99419A7351D7344A84CB51

Function 016AD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402999344.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a435b7bb578ef3ae26425b531a53c9351cb0c812d9dd5d2ea74f3d9b131145
Instruction ID: ebc6ef0cbd2bfbae4f3b3088a95fae30ed5abd8b2cd9fef7a0015851f676c00a
Opcode Fuzzy Hash: f0a435b7bb578ef3ae26425b531a53c9351cb0c812d9dd5d2ea74f3d9b131145
Instruction Fuzzy Hash: 6A2121B1105300EFDB01DF94D9C0B66BB62FB84320F60C569E9090BB47C336E816CBA2

Function 016BD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403673668.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16bd000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b3a19b85bb4b2eec13a1a286b0d3330c0b01fbd191d93d5359889606b51dab
Instruction ID: 0da26e51b6b1637d3569d0ce21bf6a4066296f22c6d815fa8fc1a37452ab9b1d
Opcode Fuzzy Hash: f4b3a19b85bb4b2eec13a1a286b0d3330c0b01fbd191d93d5359889606b51dab
Instruction Fuzzy Hash: 10212F75204204DFDB11DF44D9C4B66BB65FB88328F208569E8090F342C336C487CBA2

Function 016BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403673668.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16bd000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589dbdd2ab71274348f8125b19832b0c09df3daa80fa85a8b2b330b6258022fd
Instruction ID: dbc934744ce5b920b4c21472348c0913db914890133f5a1341a297f5de0f7530
Opcode Fuzzy Hash: 589dbdd2ab71274348f8125b19832b0c09df3daa80fa85a8b2b330b6258022fd
Instruction Fuzzy Hash: 6C21BE755093808FCB03CF24D9D4B16BF71EB86214F2881DAD8448F6A3C33AD84ACB62

Function 0609A579 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348179a9f50ff2c0897e9155bf83bc89d1ee8b0d7ad82c337fa43de588886fcb
Instruction ID: c1ed47b55b5019d4e21db9dae5cc1507c7df99e35a8284fb462ce3ae8ca7d207
Opcode Fuzzy Hash: 348179a9f50ff2c0897e9155bf83bc89d1ee8b0d7ad82c337fa43de588886fcb
Instruction Fuzzy Hash: 712126B1E0021ACFDF44CF99D5456EEBBF2FB88311F00842AD515A3250DB345A95DFA4

Function 0609A588 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4a80422541b8a8a1f8c85254b583f3e126e8e5d80d81c2f95e226aa07debce
Instruction ID: 73ec433a9d0f2dbb8851390d5beb5f109321493cd051fc1831bb53cfa2501338
Opcode Fuzzy Hash: 5a4a80422541b8a8a1f8c85254b583f3e126e8e5d80d81c2f95e226aa07debce
Instruction Fuzzy Hash: 2B11F3B0E4421ADFDF44CF99D8446EEBBF6FB88311F00902AD515A3250DB745A85DFA4

Function 016AD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402999344.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: e1e7ae4b10267957da49305199379255837a487f89a1cb3ae95536afae08dcb2
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: D511DF76504240CFCB02CF44D9C0B56BF62FB84320F24C5A9D8090B657C33AE85ACFA1

Function 06C777A7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f523bf0c793a52df91e559e06fb12512be8f52c2ed2d2fd4b99411931093ca
Instruction ID: 5219cc0e47ce3b6b49cfc411eb31da2c6c58c86a5acb4ba0a78a8e1c1af88467
Opcode Fuzzy Hash: a6f523bf0c793a52df91e559e06fb12512be8f52c2ed2d2fd4b99411931093ca
Instruction Fuzzy Hash: 4C21A374E0522ACFDBA4DF24D988BD9B7B1EB05304F1144E9912DA7680D7749FC58F11

Function 06C8F350 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9dbd524c33e1078e46f457ae0baacd819e6c83d2d542d035aa63c77744a3f9
Instruction ID: dd6795136bc674a16aaf3f6a021472cd6f046b2b39f37065c181d86b2344d0f1
Opcode Fuzzy Hash: bf9dbd524c33e1078e46f457ae0baacd819e6c83d2d542d035aa63c77744a3f9
Instruction Fuzzy Hash: BC11B7B4E0020A9FDB44DFA9C9457AEFBF2FF88200F60856A9418A7350DB345A419B95

Function 059F0D5D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3091a7b6d1dfc7307f28f5c8a5a07ae3a535e14c1dc09079248850fc6aa511f8
Instruction ID: 6e7c4c68bff8de690ca623d70a9580888f9233407f1d4c5fc202e2082768c37c
Opcode Fuzzy Hash: 3091a7b6d1dfc7307f28f5c8a5a07ae3a535e14c1dc09079248850fc6aa511f8
Instruction Fuzzy Hash: 6CF04F361097449FC312DF28D455895BBB9EF82724B0680E7E149CF563D731F941CB91

Function 059F0E50 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd47bc7750cf55e2527766d4cebd21a150a2f4d8720ce4e5ca192f8069ea13a5
Instruction ID: f965642c6777d24164636e3c6272694a1f11a1e802bfdc7e26c08f1bedeb477d
Opcode Fuzzy Hash: bd47bc7750cf55e2527766d4cebd21a150a2f4d8720ce4e5ca192f8069ea13a5
Instruction Fuzzy Hash: E4014831549384AFD7128F68DD19B463F65AB16310F198096F6948F2A3C2729824CB22

Function 059F0AE5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2376c0c2b854c927d14d11686a95c780a48453ec51cbc0521c580e14c4d53e
Instruction ID: 336e47bc1c23ea97a263e5d8ecc51dbcdc2615a2aa430398b0e154f1b9ba439b
Opcode Fuzzy Hash: ba2376c0c2b854c927d14d11686a95c780a48453ec51cbc0521c580e14c4d53e
Instruction Fuzzy Hash: EDF04F31A053858FEB019B78A4193653FBEEB85649F048096E506CB352EF79C8458B52

Function 06C7682C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6ad720446d77bf4efb9b46246101057b799006ea3f6af2cbbb6ecbe61d0265
Instruction ID: e048373f73dce383703bf52797952db78bcb2a84efb25256dbc800dd4abff422
Opcode Fuzzy Hash: 4d6ad720446d77bf4efb9b46246101057b799006ea3f6af2cbbb6ecbe61d0265
Instruction Fuzzy Hash: 3A1118B8A02229CFDBA4DF14C994A9AB7B2FF88310F1040DAD51D97340D7349E80CF55

Function 06C71F41 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6b6fc050226a8daa9f8d353f0412ea5b3f5b700beeeae8b8be7737bd631549
Instruction ID: 8ef489a10d640f0d00350a1ca8cf46ff92737b7499a00ebf7e95a2aec436fea3
Opcode Fuzzy Hash: ad6b6fc050226a8daa9f8d353f0412ea5b3f5b700beeeae8b8be7737bd631549
Instruction Fuzzy Hash: 2C0125B0E4411ECFDBA4DB14C9887A9B7B2EB44304F5044E9D11EA7680CB786EC4CF55

Function 06C718A9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5095e14b3d505937acde6cb9788a6a1ceca728d0f8cf51e081b899052a9c8cf8
Instruction ID: 26c84cd7ebc1110e732afa83ba38f7a2087cafe87f5b05be069868a2ef98cad2
Opcode Fuzzy Hash: 5095e14b3d505937acde6cb9788a6a1ceca728d0f8cf51e081b899052a9c8cf8
Instruction Fuzzy Hash: 4801E574A05219CFDBA4DF44CD88BAAB7B1EB48308F1041D9E11DA3380CB789EC59F41

Function 06C771D6 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e244d77ad0d304a9a86ce8178956522b2b0cb74d35c5227111ea455f4711fb
Instruction ID: 105e22f8f996e4b58697ae3f621a2add9467946a7ce5b3734428789eff29c388
Opcode Fuzzy Hash: f1e244d77ad0d304a9a86ce8178956522b2b0cb74d35c5227111ea455f4711fb
Instruction Fuzzy Hash: 5E0108B4A01219CFD7A4DF58C988AAABBB3FB98314F1040DAD51997344CB369E81CF90

Function 06C7292F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cb65ad5580ac7de1e6d80f06a8a825653b29e8c61da897daead7fcde74ab3b
Instruction ID: 5cd7471d49bd91ad40bf7583c6a6ae7ece7584600992243aa260c5a03119b785
Opcode Fuzzy Hash: 58cb65ad5580ac7de1e6d80f06a8a825653b29e8c61da897daead7fcde74ab3b
Instruction Fuzzy Hash: 8C015AB0E0411ACFDBA49B24D9847A877B2EB84304F0044E9D11EA7240DA346EC0CF51

Function 0609A368 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276d6ac7ff08f139a7708599fe2c9794e58b3893b11e44d24000f791b7f8d435
Instruction ID: 82403c3fc82c035a0d3a18cf64ebdfc25a2d43f5f203a8ec0bdea9d6c448e395
Opcode Fuzzy Hash: 276d6ac7ff08f139a7708599fe2c9794e58b3893b11e44d24000f791b7f8d435
Instruction Fuzzy Hash: 1DF09A34E05208EFCB81DFA8C800AADBFF1EB88300F10C0AAEC4897342D2319A11DB51

Function 059F0D2D Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4daf1653fdfe4fdaf13b631148e5168f9e3e96c855048e8000f1a52539f9753
Instruction ID: dfa09e15bac2fc0809ae7d88f3dbb81ae4d5e087a9295fb7ce3106c49e2cc725
Opcode Fuzzy Hash: d4daf1653fdfe4fdaf13b631148e5168f9e3e96c855048e8000f1a52539f9753
Instruction Fuzzy Hash: A7E0E53500D7888FC3078F74D51A6447F78EB42614B2650D6E14DCF573CA29A9018B51

Function 0609D758 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b9cd88c23736f28019daa956403c70a025c0cdcf4067ac0579e74b268734e6
Instruction ID: 7554d087bb6e459d4e7da45b79dc1d345d5986cb66bc76f64417ff9b1864b1d0
Opcode Fuzzy Hash: 54b9cd88c23736f28019daa956403c70a025c0cdcf4067ac0579e74b268734e6
Instruction Fuzzy Hash: F1F0A035909248BFCB11CFA4E8918ADBF76AF46210F1480CAEC8457351E6315A51E7A1

Function 0609E328 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e178853fd7d7c6311131180690b22c61b719a01c499db95ed8596ad91ff9c990
Instruction ID: fedd6faab1daac9090e84b914e141b99cd3683bd03b8cfddafb8cfd7c0a71c48
Opcode Fuzzy Hash: e178853fd7d7c6311131180690b22c61b719a01c499db95ed8596ad91ff9c990
Instruction Fuzzy Hash: 67F05830D09288AFCB51CFA8C4905ACBFB5EF4A210F2880EAD88897352DA305E06DB50

Function 0609D9A1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2243d194f95ed895bb43377025d88864f60ec8bfb72a87bc17eeacdfd6ae6d84
Instruction ID: a5f9b94d282d6c1238042e9500a97897ba5b3657eed529884681c95265c2888c
Opcode Fuzzy Hash: 2243d194f95ed895bb43377025d88864f60ec8bfb72a87bc17eeacdfd6ae6d84
Instruction Fuzzy Hash: 4BE0ED7084A208AFCB00DBA4D9109ADBF79EB42300F0081DAA84827383C6305E42EBA1

Function 059F0E31 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583398c4b814c8511d432f710f7bec7ec8ec5645269ab41be2faeae9d6199e87
Instruction ID: 88fd652160bcb46a39ec62a30e4d4667d9825a759d6c72d390133ef1113e738b
Opcode Fuzzy Hash: 583398c4b814c8511d432f710f7bec7ec8ec5645269ab41be2faeae9d6199e87
Instruction Fuzzy Hash: 2AF0F871589384AFD7028F20AD1AB857F79EB16304F0A80DBE944DF1A3D3799805CB22

Function 059F0B00 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c612018c2045bc40742bb3aa60e182389eb2d4e808b71f22be3262e83c4244
Instruction ID: e1180cf79ac2d36def02be495f68caa344e82b0bf0156cfe1d987ed0836b92f5
Opcode Fuzzy Hash: d1c612018c2045bc40742bb3aa60e182389eb2d4e808b71f22be3262e83c4244
Instruction Fuzzy Hash: FDE06530B10216CBEF409B7DB4187763BAFE78864AB004465E506C3341FF74DC418B82

Function 06C724BF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e801c2213c0048b2dc7bee53ddb8b3f99509976540f36d9ea34454e9ea820cb
Instruction ID: eedb260f4a0337395561dfe861c2ed68c2230adc2e3c9e52ca85dfdc8b257071
Opcode Fuzzy Hash: 1e801c2213c0048b2dc7bee53ddb8b3f99509976540f36d9ea34454e9ea820cb
Instruction Fuzzy Hash: E8F09078A05104CFD795EF54CC98A9AB7B2FB48304F1040D5D51C57388CB344E85DF91

Function 060954E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35393dff9e673ad9fe1593ab7520f49054c26b3e7735ba0b73374a71ba7ef2ab
Instruction ID: 30b1d39d7230dbf0e719d9e8376d2131837eb2ba8fef3087d530846e6d22d0f6
Opcode Fuzzy Hash: 35393dff9e673ad9fe1593ab7520f49054c26b3e7735ba0b73374a71ba7ef2ab
Instruction Fuzzy Hash: 3AE09231105248BFDB02CF80DC50CAABB7AEF8A610704C09AFC4087212D6729D22DBF1

Function 06099C6E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12bfecabc4f1b04829872c547cb126a01a525dffdbc6fae30b97fef5414ea7e
Instruction ID: 7af74b23d74f81961949c59b32d3a5d6eb5f80bf29e360660b8f730855b5249c
Opcode Fuzzy Hash: e12bfecabc4f1b04829872c547cb126a01a525dffdbc6fae30b97fef5414ea7e
Instruction Fuzzy Hash: 59F0F8B5A48218CFDB50CFA5C840AECBBB6FB88300F2181A9D509A7221C7309E81DF60

Function 060993D1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0488b2d657aa3149d53ad2c606b43cb0666d2f274154f5e47f4f8801e18e977e
Instruction ID: 2ecf5e3ac448f6f9a6b5088a1eb569d84c1581fe50c3af36bf67f93cce15ab5d
Opcode Fuzzy Hash: 0488b2d657aa3149d53ad2c606b43cb0666d2f274154f5e47f4f8801e18e977e
Instruction Fuzzy Hash: E7E0E530805384AFD751DFB4881065D7FF5EF06200F0404EBD885D7182EA304A44C7A2

Function 0609A378 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ae3889b82e70ac86fc6856b0cea3b4d3dbe407955bc584a4993cb0be64762d
Instruction ID: 0e42523c968ef09d1fa4092f49f55716ff4f694c2b438b65f4e9e0d4271709b0
Opcode Fuzzy Hash: e7ae3889b82e70ac86fc6856b0cea3b4d3dbe407955bc584a4993cb0be64762d
Instruction Fuzzy Hash: 5CF0AC74E44208EFCB95DFA8D541A9DBBF5EB88304F10C19AA81897350D6719A51DF50

Function 0609D1F8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075ab5a9bb55cc29a587bc37c765d6fd80630a380d1e855281569895bd6ed6dc
Instruction ID: 8cac3900baeef2580c7c0a03b1b3c231b80c0ff5db88d2ba5e04c703ebf151f0
Opcode Fuzzy Hash: 075ab5a9bb55cc29a587bc37c765d6fd80630a380d1e855281569895bd6ed6dc
Instruction Fuzzy Hash: A0E0D83084D384AFEB56CB64D5616A4BFB5DF07218F2844CDD4C447283D5329E03D751

Function 06C8D2E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction ID: bc37987a5aed824e20cd522c485899ba75485802f9ccc06d36d0c3ddf79ed92b
Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction Fuzzy Hash: 9AE0ED74D04208EFCB94DFA9D541AACFBF5EF48304F10C0AA980993340D631AE51DF80

Function 06C8A808 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction ID: 391c2bda32c17da51f8dbd91110546741d77389fb2606b50ddf627dbf0b6d453
Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction Fuzzy Hash: 26E0E574E04208EFCB94EFA9D541AACFBF5EB48314F10C0AEA808A3341D6359A52DF90

Function 06C85DD0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction ID: 092a804de1133fc34ec30c969147d78082ab7491c0a4b7df4e3cca1432d72544
Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction Fuzzy Hash: 9FE0ED74E04208EFCB94EFA9D545AACFBF5EB48304F50C0AA9C1893340D6719A51DF80

Function 06C8DDF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction ID: ae47f4e53c2cbbfadbc318129b691fe7b2ae579530cf0562a4c96ee66e8e303f
Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction Fuzzy Hash: B1E0ED74E04208EFCB94EFA9D541AADFBF5EF58305F10C0AA980993341D731AA52DF84

Function 06C8BD90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction ID: 6928b981e259f7904b5c25e7511dd96cc0bdc3e553858c2b85bb15341007d4a4
Opcode Fuzzy Hash: f34ddb454c6e6aea80f7afd0eba0c6949c92b28bc5e3dbe4533cfee8965970e5
Instruction Fuzzy Hash: 86E0C974D04208FFCB94DFA8D541AACBBF5EB48304F10C0AA981893340D6319E51DF80

Function 06099238 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4544de6c6fca4373ba5b5761cbf678a19eeeddd3720f9e9941ff4bb244ce6a60
Instruction ID: 276a045b3090d3be1fcfb0e288b40177e1a6e2c1ef6e935222fecc356a888d89
Opcode Fuzzy Hash: 4544de6c6fca4373ba5b5761cbf678a19eeeddd3720f9e9941ff4bb244ce6a60
Instruction Fuzzy Hash: 9DD0C72004AA800AC7A22BB86D232A47FB48B07512B0C008AE8CA0980388240092D2B3

Function 059F0C05 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57abc07c938ca85c1e1894f02d0434a34177724b53bda220b9133e2ebb9d6db5
Instruction ID: 258ce8faaa1c4915b86f4ea7aef2fbb0ba7d5ceceaa966fc577b1894f6e56e72
Opcode Fuzzy Hash: 57abc07c938ca85c1e1894f02d0434a34177724b53bda220b9133e2ebb9d6db5
Instruction Fuzzy Hash: CBE0C2A2A0C3440FC30B6B34B9113882F70EB03200B0740DFC040CF2B3E8245D0B87A5

Function 06C88D58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf70d6da089cb972b40bb4170ac547fe0c78f76baa3b0d428baa1bffb531ede
Instruction ID: 9face1e8c9848912ab2ab96ceae79b3ee502574129a91016e61f14666d13770a
Opcode Fuzzy Hash: ebf70d6da089cb972b40bb4170ac547fe0c78f76baa3b0d428baa1bffb531ede
Instruction Fuzzy Hash: 1CE04F74D05208EFCB54EF99D5416ACFBF4EB49208F1080EFD84857341CA315A02DB81

Function 0609E338 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af4ad834c6845e4540cae1ba183cda0879c5eb7dd93835c56b852bc914c0d97
Instruction ID: 50131a4def85a13abd7d56be591465353aab7b1793f06593f338a6df3332cc63
Opcode Fuzzy Hash: 0af4ad834c6845e4540cae1ba183cda0879c5eb7dd93835c56b852bc914c0d97
Instruction Fuzzy Hash: FCE01A74D04208EFCB44DFA8D5456ACBBB5EB48204F14C0A9A80C57350CA31AE42DB80

Function 059F0CA1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3866965e80b1af53fdbbfd2780cb93f146f58ba29bac9d11de787862f9736f
Instruction ID: c9eabce48d8cd91625338c13aaf3b5207960e56330910125d9b02d098a5d7453
Opcode Fuzzy Hash: fe3866965e80b1af53fdbbfd2780cb93f146f58ba29bac9d11de787862f9736f
Instruction Fuzzy Hash: 6BE0B67500E3C48FC7038F3499654443F74AE0310870A40D7D084CF1B3D229A90AC722

Function 06C8B608 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a2e0d2111124fefa26d553b355d5c1bf38b963186525b6c60712827a783281
Instruction ID: a7f4429d315017d117f541d84f725d93da44fc6351087c8375ce36510430ae1a
Opcode Fuzzy Hash: 04a2e0d2111124fefa26d553b355d5c1bf38b963186525b6c60712827a783281
Instruction Fuzzy Hash: 05E01271851208EFCB91EFB49901A9E7BF9DB46605F0005BA951997210EE314A00DB95

Function 06C8E358 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd673049470ee3f6734386c8a9dae4ce367d97af3bb3fc61aed89a46a11bd05
Instruction ID: a32e1953169c115546381924d7ba96788608467d0ec27b82a2574bbfccafa3f8
Opcode Fuzzy Hash: 3fd673049470ee3f6734386c8a9dae4ce367d97af3bb3fc61aed89a46a11bd05
Instruction Fuzzy Hash: 87E01274D09208EFCB54EF99D94196CBBB9EB4A308F1081EDD80827351CA315E42DB85

Function 060993E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2716b560ac2a5ff2ebed18262bce61d41e06f858aaac60ba8e47ab592c59ca
Instruction ID: 88b41c6fa0692bb62db77d84d0f78bf483f8d26442ab42403994f5c4ff216c6e
Opcode Fuzzy Hash: 7c2716b560ac2a5ff2ebed18262bce61d41e06f858aaac60ba8e47ab592c59ca
Instruction Fuzzy Hash: D1E0C271810208EFCB40EFF4D504B5E7BFAEB4A601F0000ABE409A7280EF314A44DB91

Function 0609FF68 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe53480c10945ab8162fe1bbd9336a848bef7eec5589a11a98f273b37a6f8976
Instruction ID: 39f7d59380ff91c1426214b37ce101b834a1044197f199f282299a9f6633993d
Opcode Fuzzy Hash: fe53480c10945ab8162fe1bbd9336a848bef7eec5589a11a98f273b37a6f8976
Instruction Fuzzy Hash: 5AE0C234D48208EBCF44DF98D55196CBFBAEF4A308F1080DDD80957340CA316E42DB90

Function 0609D9B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe53480c10945ab8162fe1bbd9336a848bef7eec5589a11a98f273b37a6f8976
Instruction ID: 58b0915a655133f5a4765fddeeca12594dd43c9f1dfcaf5dfacabf4c8b887f6b
Opcode Fuzzy Hash: fe53480c10945ab8162fe1bbd9336a848bef7eec5589a11a98f273b37a6f8976
Instruction Fuzzy Hash: 9EE0EC74959208EBCB54EBA8D551A6CBBB5EB45304F108199984C27381CA315E42DB95

Function 060954F0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c767e48155a14b83576ed60cad6bc38b9ef44b2818523bd4bd938fc7fae1ccf
Instruction ID: c2969385f0d5d38c4f3d7f05f39e8da3773f12cd9a33b23caa96eadeb1015269
Opcode Fuzzy Hash: 9c767e48155a14b83576ed60cad6bc38b9ef44b2818523bd4bd938fc7fae1ccf
Instruction Fuzzy Hash: 9ED06736200118BF9B05DE84DC51CA67B6AEB89660B14C45AFD1547251CAB3ED22EBA1

Function 0609D208 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff6fc3bb414539427a60303e4b72399e71269df4dcd5cb0a7b372a2d69c4fae
Instruction ID: ba761e9781f904aee1324c25eaad6958e5a89f98334ad0fca9eb746765641b2d
Opcode Fuzzy Hash: bff6fc3bb414539427a60303e4b72399e71269df4dcd5cb0a7b372a2d69c4fae
Instruction Fuzzy Hash: FFD05E70989208EBCF94CB98E601A69BBA9DB46308F109099A80847381CA329D02DA90

Function 059F0155 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325ac2b308aa358ec6c9bb441374c7dd9cc361a726a1bd2c78684dc76f3e7138
Instruction ID: d82d585428d60c0983b16d8a0a9ee5cef5b78def7505d01b1d776d2840ac16d3
Opcode Fuzzy Hash: 325ac2b308aa358ec6c9bb441374c7dd9cc361a726a1bd2c78684dc76f3e7138
Instruction Fuzzy Hash: 60E0127445E7C44FD7439F7064555857F34AF03210B0681CBD4588E0A3C665561AC7A2

Function 0609DC37 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049e199dde50e07788227a0744b7ebea8561bd4fa9c6864ee41fc52f9fae05e8
Instruction ID: e2daae37eef92eea230b7fed4cc38ab7de214bdc0f9140d9e3e5923877c5e1ee
Opcode Fuzzy Hash: 049e199dde50e07788227a0744b7ebea8561bd4fa9c6864ee41fc52f9fae05e8
Instruction Fuzzy Hash: 34E01274E00118CFDB60CFA5D8447DDBBB2FB59700F1082AA9908A3340D7B44E80CF80

Function 06C766F2 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cbcde9e2ffb65dc3c3d6bd560e73f3ce0cb2b0eb7b932ba261d171f8d4f20b
Instruction ID: 8e624aecbd55264403ffe4b3f68a2d0b2466d9c052c704d29ea002ca98942293
Opcode Fuzzy Hash: d5cbcde9e2ffb65dc3c3d6bd560e73f3ce0cb2b0eb7b932ba261d171f8d4f20b
Instruction Fuzzy Hash: A7D05EB0D42119CFE7D18B11DD95FDA7771AF10348F104090C42A63245EBB449848F65

Function 06C7671C Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67b00cb26a138e372613566407af7039e94ebb03a138ef25fb209a282ed7d88
Instruction ID: 2b591cffb3a85edffc184ca892d39c22b59f23853e4a58bcfd06c2734985278a
Opcode Fuzzy Hash: d67b00cb26a138e372613566407af7039e94ebb03a138ef25fb209a282ed7d88
Instruction Fuzzy Hash: CAD02234300106CFE350AB84CC88BAA37B3EB89308F2000C4A11D97380CF788CC08F62

Function 06099248 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12584ec230a05a2ade64e6c309f92965c2eae273fdf6be7e4890779dcb14a26
Instruction ID: a39e73d96365a310f41ed9f305455611ad2bbe99ac4b64516af4d56e46686a98
Opcode Fuzzy Hash: a12584ec230a05a2ade64e6c309f92965c2eae273fdf6be7e4890779dcb14a26
Instruction Fuzzy Hash: EDC08C2048160842DAE977E9AE097397AAA9B82A0AF880006B91C114014E740040E23B

Function 06095090 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463ffc95b436662b3360c17136e397b73217ab742c7385b77e7ac16409fe8478
Instruction ID: cd29785639c2140ffb9af736b2439fed277f98d0a7fba494a17317fde7a928b3
Opcode Fuzzy Hash: 463ffc95b436662b3360c17136e397b73217ab742c7385b77e7ac16409fe8478
Instruction Fuzzy Hash: EFB09226364209AB980125CA7825826BB5EB2815983404912B88A0E78EEA61A8A00A77

Function 059F0140 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386a2d9613fd5ac77f0512b99bed0ac1fb4436d2d4540b1eadd9b05a787efa12
Instruction ID: e6a58e8a7768e7510157ad319f56504a9ecc135b5ae45fd554d65d2b7ee5b3e6
Opcode Fuzzy Hash: 386a2d9613fd5ac77f0512b99bed0ac1fb4436d2d4540b1eadd9b05a787efa12
Instruction Fuzzy Hash: A7B09276A0101A8B9F149B84FC854ECF330EAC032AB100063E229A205096311A69CB51

Function 06095096 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a06ff7cac25d9ef3c4f1b6e6f4173f982d295478a6c5236c5289696baa8a82
Instruction ID: 27b0e15c0c326782ffd8d5a8ae0c3ba4196afec4fc01f40d65a2e4133b61f670
Opcode Fuzzy Hash: c3a06ff7cac25d9ef3c4f1b6e6f4173f982d295478a6c5236c5289696baa8a82
Instruction Fuzzy Hash: 17B012213700009BCE0005D430240673B13B3803C83108803F48A1E78CDA2048A10A32

Function 059F0D80 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebb9a15ece57f990afe37748d4b7fe1266a680df08e81003828234c50fee488
Instruction ID: c5e26229662c9432f9bc7476c6ece914768bd3db68507641d2468841d4d27353
Opcode Fuzzy Hash: 9ebb9a15ece57f990afe37748d4b7fe1266a680df08e81003828234c50fee488
Instruction Fuzzy Hash: 2AB092341602088F82409B59D448C00B3ECAF08A2434140D0E1088B632C621F8008A40

Function 059F0D50 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction ID: 308734e347fe5fbfc39d01466d26648a0473cab39bdc6a53ba3d68073832f9aa
Opcode Fuzzy Hash: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction Fuzzy Hash: 93B01230240208CFC200DB5DD444C0033FCAF49A0434000D0F1098B731C721FC00CA40

Function 059F0CC0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
Instruction ID: 38f246181df111d5429a8bd68a772e0fce3d181c3253e5a9de7ce3dab65c4b62
Opcode Fuzzy Hash: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
Instruction Fuzzy Hash: F4B01230240208CFC300DB5DD445C003BFCAF49A0434000D0F1088B731C721FC008A40

Function 059F0CE8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f1a1d767593426b531c63a5534224079100c6a31a4acfa6644f4bb4fa39323
Instruction ID: f41c7ed5a7d5ea02a4be93ab767978625b4dbd4034144e06a19379c94a362e92
Opcode Fuzzy Hash: d5f1a1d767593426b531c63a5534224079100c6a31a4acfa6644f4bb4fa39323
Instruction Fuzzy Hash: 62B0923600010CFBCB012E81E8048897F29FB142A0B008011F9080802087329620AB94

Function 059F0CE6 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eab756303032473e7b4e56298c60cb2402b4b92e52effe3ca315e01650085f0
Instruction ID: eb673871de74bacb902cf2bd6fe0e2e8e17c33fd3cfed042f2ec7fac44e97159
Opcode Fuzzy Hash: 6eab756303032473e7b4e56298c60cb2402b4b92e52effe3ca315e01650085f0
Instruction Fuzzy Hash: 35C09236000108FFCB02AF90E8058887F39FB553A0B008012F91C4D030C7338722EF80

Function 059F0170 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1429259358.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f0b2ed48917999c4d670d536ee4710f0234dc277b27a0f2139aa23893184ab
Instruction ID: a0ff698643857e0212abd856d84a5fe1dc5f298971b0ea240ce21e19b9956519
Opcode Fuzzy Hash: 57f0b2ed48917999c4d670d536ee4710f0234dc277b27a0f2139aa23893184ab
Instruction Fuzzy Hash: DDA02230030B0CCBBA003BFA300A0A83B0CAC00022B808083F03C002008EA2208088EA

Non-executed Functions

Function 06095668 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013c84d8511bfe047d71a863da941f0994d480e3374108cbdcce0427c2668b0b
Instruction ID: a271bfb470c767821e98e944609b6e9d7f61291ee410a5a18434daa727dbdc23
Opcode Fuzzy Hash: 013c84d8511bfe047d71a863da941f0994d480e3374108cbdcce0427c2668b0b
Instruction Fuzzy Hash: A071E570E10209CFEB48DF6AE85169ABBF3FBD8201F54C16AD4049B368EF75580ADB51

Function 06095667 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31c1b993555824932b24a35315c1b235d50094934ab13e6088cb80867b291a2
Instruction ID: 00b190ac4df7218f11a8c5ae63af2d44f79a3fb03ea90905932f24c573997cbb
Opcode Fuzzy Hash: f31c1b993555824932b24a35315c1b235d50094934ab13e6088cb80867b291a2
Instruction Fuzzy Hash: FC61F570A10209CFEB48DF6AE95169ABBF3FBD8201F44C16AD4049B368EF34580ADB51

Function 06095659 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6a619b68308be699216b663e1eb60f15db49c3f8ce16bd2b439e5327eb0c58
Instruction ID: 6d745dfef4e3c01325073de9724696b986431645ee9fd9b6811471910f995913
Opcode Fuzzy Hash: 9f6a619b68308be699216b663e1eb60f15db49c3f8ce16bd2b439e5327eb0c58
Instruction Fuzzy Hash: D961D570E102098FEB48DF6AE95169ABFF3FBD8201F54C56AD4049B328EB35580ADB51

Function 06C8E758 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79999e7dee51fb5e1f83f687626f93597c84c6acd79c61b6d0bcfc6e9b1f2fd2
Instruction ID: 299c916916ab267eb3257db19b25af01233610bbc81bca4b3d6a926c5f93311d
Opcode Fuzzy Hash: 79999e7dee51fb5e1f83f687626f93597c84c6acd79c61b6d0bcfc6e9b1f2fd2
Instruction Fuzzy Hash: C8512974A10218DFEB58DF38D455BA97BF2EB49300F5144AAE80AEB391DB359D85CF01

Function 060950AF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671d9bf01c7a3997478886bc70b27ff2d2bb93dfaedf3b6e160ccd671164205f
Instruction ID: faae9302c6b70bdee71761469bda04e9f5dfdc1d5b7acdf92aaa66b9b5612017
Opcode Fuzzy Hash: 671d9bf01c7a3997478886bc70b27ff2d2bb93dfaedf3b6e160ccd671164205f
Instruction Fuzzy Hash: EE41D131A44205DFEF52CF95EC81BAEBFB2EF88300F218526E541EB250D6319985DBE1

Function 060950C0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad57ed12662829c3eae7cb0788c0b6e45d1e92ec8206cda9b38cd44b1526431
Instruction ID: 4a2f338fc28ee394905f8d01a8a9361abd28de1fb2c0962d1e82ab72eb369c7a
Opcode Fuzzy Hash: 4ad57ed12662829c3eae7cb0788c0b6e45d1e92ec8206cda9b38cd44b1526431
Instruction Fuzzy Hash: 0741A431A44209DFEB52CF95EC41BAEBFB6FB88300F218526E505DB250D631D9819BE1

Function 06095081 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7252bfd0fd3ab2aa59a2860fdf5a0adfa0c581e1516004efa5d133a797a272
Instruction ID: 46b50352610a5fefc7c8e18ff8ba7f1ec07c65b29d390679579389fb97b5052a
Opcode Fuzzy Hash: bb7252bfd0fd3ab2aa59a2860fdf5a0adfa0c581e1516004efa5d133a797a272
Instruction Fuzzy Hash: 95410531A48205DFEB42CFA4ED81BAEBFB2EB49300F258422E541DB350D635D9849BE1

Function 06C70040 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d8e9469dbf58d6254b976d134089ed56c4c22d927184e16444cfd256b323b0
Instruction ID: d14d7df90c782b1dac8d129a47a999e01d9eb0ef171d7cda6512c98c305f0749
Opcode Fuzzy Hash: c4d8e9469dbf58d6254b976d134089ed56c4c22d927184e16444cfd256b323b0
Instruction Fuzzy Hash: 3441B6B0E012298BEBA8CF1ACD4469DBAF2BB89304F11C5EAD40DA7254DB745AC5CF45

Function 06C70007 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1432211074.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1cb0f8894db2a87da5143fdca34fe64b836468672e278778217f0b08a73565
Instruction ID: 1bfde61b49d6cc68f36bb6606d15fc28511eb57cc842c3fcaf114f882bdec8e1
Opcode Fuzzy Hash: bf1cb0f8894db2a87da5143fdca34fe64b836468672e278778217f0b08a73565
Instruction Fuzzy Hash: F7314D71D057988FEB69CF2B8C5469ABBF6EF85300F05C0EAD4489B255DB740A85CF50

Function 06095BF8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9729bddfb7574e8455e13bbb7f9bbfcf4e16e3ae7c3e92acd4725dfe192dc560
Instruction ID: bd8b7fd9f0b1246e1fad6c70c3dddfa91a2d4fd1d93c08b246eac11803916e7d
Opcode Fuzzy Hash: 9729bddfb7574e8455e13bbb7f9bbfcf4e16e3ae7c3e92acd4725dfe192dc560
Instruction Fuzzy Hash: 1A31A3B0D116188BEB69CF6BCC4879EFAF7BF89304F14C5AAD40CA6254DB740A859F10

Function 06095BEA Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430379000.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658b3422ee16ff1aba7d3131ea2e40bd913b712c0fe806574d9d2c0d6e08c6ff
Instruction ID: 3a7eea02a236bec384b4dbb787e9aefccfa916e66abec79354de68cb4fd68c85
Opcode Fuzzy Hash: 658b3422ee16ff1aba7d3131ea2e40bd913b712c0fe806574d9d2c0d6e08c6ff
Instruction Fuzzy Hash: 603197B1D016588BEB69CF6BC94938EFBF7BFC9304F14C5AAC448AA255EB7405858F10

Analysis Process: 3vLKNycnrz.exePID: 7452, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.1%
Total number of Nodes:	59
Total number of Limit Nodes:	2

Executed Functions

Function 00408620 Relevance: 7.6, APIs: 5, Instructions: 107
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408644
GetCurrentThreadId.KERNEL32 ref: 0040864D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040869F
GetForegroundWindow.USER32 ref: 004086B4
ExitProcess.KERNEL32 ref: 00408771

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: f269ce15b62759249a87e8095c09880a933a93e1a5a8af1a285a3f39b88257a8
Instruction ID: 2ab26929ac22d33901149aa551f8fc81b7b3b861aac10a10b3a4e62ada129a5c
Opcode Fuzzy Hash: f269ce15b62759249a87e8095c09880a933a93e1a5a8af1a285a3f39b88257a8
Instruction Fuzzy Hash: 30314473A0031D0BCB247EB55D8A36AF1869BC4310F1F103D6A89EB3D2EE6E0C058299

Function 0043A320 Relevance: 5.1, Strings: 4, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$A.C, xrefs: 0043A469
L9;, xrefs: 0043A45B
(EFG, xrefs: 0043A470
M5F7, xrefs: 0043A454

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: $A.C$(EFG$L9;$M5F7
API String ID: 0-716650282
Opcode ID: a3248d0ae3c2ff1dc0494626869ba73b6ec220572a9d65c3157c373830ba5bef
Instruction ID: 9b362c61da336a2ae8ea6290e8c0db5c8ff5c04be66d4453546d1038febf736e
Opcode Fuzzy Hash: a3248d0ae3c2ff1dc0494626869ba73b6ec220572a9d65c3157c373830ba5bef
Instruction Fuzzy Hash: D3312632651B009FC724CF75DC46356BAE2BB86754F25CA3DD0A6C7795E7B8D0058B08

Function 0040BD61 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?L", xrefs: 0040BDB2
iL", xrefs: 0040BE16

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: ?L"$iL"
API String ID: 0-3699518731
Opcode ID: f70d4f0d1b59178c64416d6cc34cefdb3cfcb84c192bbc1135f2e6c00128c05a
Instruction ID: 52a9b6de7af2d81cb0eea610d47e69b686b57175818a8db13fa0bffc6a3e7ece
Opcode Fuzzy Hash: f70d4f0d1b59178c64416d6cc34cefdb3cfcb84c192bbc1135f2e6c00128c05a
Instruction Fuzzy Hash: F551F472E102258FD714CF58CC90AABBBB1FF89314B0A9169D951BB3A1D7789C018B98

Function 0043A5B0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043C8CB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A5DE

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043CCE0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

0?>=, xrefs: 0043CD05

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID: 0?>=
API String ID: 2994545307-3891647100
Opcode ID: 4ac6dad85a8b8badd7a4f14bbafc2d79f95844eb08445b7414a751a7e0bb29ca
Instruction ID: 8ec6b15b855e60249eabea3af3a81123ae50d9401847775218f9f777cc84a275
Opcode Fuzzy Hash: 4ac6dad85a8b8badd7a4f14bbafc2d79f95844eb08445b7414a751a7e0bb29ca
Instruction Fuzzy Hash: D8310834704300ABE7104B64ACD1B7BBBE5EB8A714F24693EF685B7291D628FC11C70A

Function 0043A6B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043A6EF

Strings

5()*, xrefs: 0043A6C5

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: ForegroundWindow
String ID: 5()*
API String ID: 2020703349-1326618346
Opcode ID: ef895584e3463f3f68fd34886f599cb15f52c97dd58883bf3794c0fc238b69aa
Instruction ID: c71105b9e17c32472be62313526bc1113bf90732a25e8e6de3dcecaaaeb78642
Opcode Fuzzy Hash: ef895584e3463f3f68fd34886f599cb15f52c97dd58883bf3794c0fc238b69aa
Instruction Fuzzy Hash: A6F0BBB5E5865087DB18DF359C6546B7BE1A75A324F24693EE582D3242D63EC801C30E

Function 0040C8E6 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C8EA
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CA31

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6f6effb1460477831ac12bc4fe1b86987d569b8e94679f6ac3f5153db78c57cc
Instruction ID: ca5249e1fd23fe5382115dc6c75c30d5a39f336e6071931cf83ee7099c131467
Opcode Fuzzy Hash: 6f6effb1460477831ac12bc4fe1b86987d569b8e94679f6ac3f5153db78c57cc
Instruction Fuzzy Hash: CA41B9B4C10B40AFD370EF39D94B7127EB4AB05250F508B1EF9EA866D4E631A4198BD7

Function 004330D2 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 004330FD

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: fecec9b8bdc620ed66c5f7f7fbbde8d10dba92c50af755c723726afc618a3463
Instruction ID: ede672be39caaa6dafdc8ddbe4b8af2e0014e6452cca2b92b4faab07863be0e6
Opcode Fuzzy Hash: fecec9b8bdc620ed66c5f7f7fbbde8d10dba92c50af755c723726afc618a3463
Instruction Fuzzy Hash: CE214B33E041A58BCF28CF7C8D152AEBFB25B9A220F1943A9DC90B7381D6344E418BD1

Function 0043A6E1 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043A6EF

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 5ee508286f2350a72e81952e3a6e277e2defe54f026306661ed469a043f484d7
Instruction ID: 1dc4ab3a7fed408f0b80ed6fae16d8750af52cf01a428f3bca4c5586c6fca7e7
Opcode Fuzzy Hash: 5ee508286f2350a72e81952e3a6e277e2defe54f026306661ed469a043f484d7
Instruction Fuzzy Hash: EDE086BDF14A248BCB18CF65ECA542437A2A759311724943FE803D3357DD3ADC02D649

Function 0040CA6D Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CA7F

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 73c3ff371ddf2dba0e2c51fe4018f5a35349ad899bfef2bbca8f86c89653fe45
Instruction ID: 5b0f5add59d0d7e095468882ba85f577866da2625a1fc62412e9c605a90bd8bb
Opcode Fuzzy Hash: 73c3ff371ddf2dba0e2c51fe4018f5a35349ad899bfef2bbca8f86c89653fe45
Instruction Fuzzy Hash: 03E05E39BD42007BF7244B18EC4BF40224293CAB21F788235B311EE7E8CCE8A449860C

Function 00438AD0 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043A596,?,0040B500,00000000,0040B55F), ref: 00438AEE

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1a6db2d9ad1dda0081a400328015eb6b4d5948ceae9bed2b2506b368cf6b16e2
Instruction ID: 00c34fd169b5899b633ec4a717eb9c3f8ad66db4c8575b282a5a18a1672db1fa
Opcode Fuzzy Hash: 1a6db2d9ad1dda0081a400328015eb6b4d5948ceae9bed2b2506b368cf6b16e2
Instruction Fuzzy Hash: D9D0C931405622EBCA111F25EC06B8A7A64DF093A1F025465A400AA072C765EC518AD8

Function 00438AA4 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 00438AB4

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 33cbe60f46516dd729390eb0eccd9d123dfa1e23fdcf3b14e3fb3e7dd79eea06
Instruction ID: f0201cb6773035d3177af80b22c7b0d5ecb2c2dae01169802860e208a7d99c90
Opcode Fuzzy Hash: 33cbe60f46516dd729390eb0eccd9d123dfa1e23fdcf3b14e3fb3e7dd79eea06
Instruction Fuzzy Hash: DCC04C34141211ABD5351B119D4DF6F3D79DB4BB93F101024F9055409247746001996D

Function 0040D4F3 Relevance: 1.3, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0040D4FB

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 90a3a7e7db08da2634a4ed5c88deb32946b38afa0e0eeedc36dbb0d2118d5f56
Instruction ID: fcc88d101f4a76860ca4f5e012e2520af0942ee69f666cb17ae4560173826b52
Opcode Fuzzy Hash: 90a3a7e7db08da2634a4ed5c88deb32946b38afa0e0eeedc36dbb0d2118d5f56
Instruction Fuzzy Hash: A3C0127D6480419BD70C8721BC054253756AB8A3493245479DD0352276E5319456851D

Non-executed Functions

Function 00422D70 Relevance: 32.5, Strings: 25, Instructions: 1295COMMON

Download Yara Rule

Strings

;l9n, xrefs: 004234E8
mlkj, xrefs: 004242F5
JG, xrefs: 004236C8
wp, xrefs: 004236BE
B7P9, xrefs: 00422DA2
EG, xrefs: 004236D2
8:, xrefs: 00423839
&:, xrefs: 004238C5
Z?E!, xrefs: 00422DB2
wp, xrefs: 004237DD
,p&r, xrefs: 004234D3
^_, xrefs: 00422DF6
>E, xrefs: 004238D3
0', xrefs: 004238DA
N+P-, xrefs: 00422DCA
1h/j, xrefs: 004234E1
xM`O, xrefs: 004239CF
A/6Q, xrefs: 00423B2D
:<, xrefs: 004238CC
&t6v, xrefs: 004234DA
&:, xrefs: 0042397E
=_%A, xrefs: 00423B49
=S2U, xrefs: 00422DDA
?W4Y, xrefs: 00422DE2
<[5], xrefs: 00423B42

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: &t6v$&:$&:$,p&r$0'$1h/j$:<$;l9n$<[5]$=S2U$=_%A$>E$?W4Y$A/6Q$B7P9$EG$JG$N+P-$Z?E!$^_$mlkj$wp$wp$xM`O$8:
API String ID: 0-4036459184
Opcode ID: b86619ce0fb86be72c075babf46424e4b6a5dc08b7dfa0c816d11e3d25bdbeba
Instruction ID: 621ace128c741c72fbbdfe5d89d7f9e24a1e8e275d799776b0bb284a418f6a1d
Opcode Fuzzy Hash: b86619ce0fb86be72c075babf46424e4b6a5dc08b7dfa0c816d11e3d25bdbeba
Instruction Fuzzy Hash: A9B2EBB5A04725CFD724CF24D8806AABBB1FF85304F2485ADD49AAF742D775A842CF84

Function 00435CA0 Relevance: 32.2, APIs: 10, Strings: 8, Instructions: 746memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C,00000000), ref: 00435F83
SysAllocString.OLEAUT32(0000D43F), ref: 00435FF8
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00436036
SysAllocString.OLEAUT32(0000D43F), ref: 00436095
SysAllocString.OLEAUT32(0000D43F), ref: 00436127
VariantInit.OLEAUT32(?), ref: 00436196
SysFreeString.OLEAUT32(?), ref: 0043643F
SysFreeString.OLEAUT32(?), ref: 00436448
SysFreeString.OLEAUT32(00000000), ref: 0043645C

Strings

Yz=|, xrefs: 004360BD
:j.l, xrefs: 00436115
1n*`, xrefs: 004360A5
Ef]x, xrefs: 004360B5
%)*+, xrefs: 00435D40
"b7d, xrefs: 004360AD
,rSt, xrefs: 004360CD
/~ p, xrefs: 004360C5

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInitInstanceProxyVariant
String ID: "b7d$%)*+$,rSt$/~ p$1n*`$:j.l$Ef]x$Yz=|
API String ID: 2737081056-2387816766
Opcode ID: b7b6029c48d98f914741704bef50a66fad523e17e46cc5b463d75fe370098866
Instruction ID: 8de3c40ff093b11e2e09931193b767e06f162f6ac0398119def9de2cc4740bb7
Opcode Fuzzy Hash: b7b6029c48d98f914741704bef50a66fad523e17e46cc5b463d75fe370098866
Instruction Fuzzy Hash: DA323371A083119BD310CF28C88176BBBE5EFC9324F159A2DE9D58B391D778D805CB8A

Function 004230D0 Relevance: 25.0, Strings: 19, Instructions: 1222COMMON

Download Yara Rule

Strings

0', xrefs: 004238DA
mlkj, xrefs: 004242F5
;l9n, xrefs: 004234E8
JG, xrefs: 004236C8
wp, xrefs: 004236BE
1h/j, xrefs: 004234E1
xM`O, xrefs: 004239CF
EG, xrefs: 004236D2
8:, xrefs: 00423839
&:, xrefs: 004238C5
A/6Q, xrefs: 00423B2D
:<, xrefs: 004238CC
&t6v, xrefs: 004234DA
&:, xrefs: 0042397E
wp, xrefs: 004237DD
=_%A, xrefs: 00423B49
,p&r, xrefs: 004234D3
<[5], xrefs: 00423B42
>E, xrefs: 004238D3

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: &t6v$&:$&:$,p&r$0'$1h/j$:<$;l9n$<[5]$=_%A$>E$A/6Q$EG$JG$mlkj$wp$wp$xM`O$8:
API String ID: 0-611813272
Opcode ID: 4bf8c3e06e125019cc28075f44cd85383120c8b00b071029927c52c99f19c43b
Instruction ID: e3462e6896757585fce53d35f3d4f79783bf105092c3b89bd78476700a500846
Opcode Fuzzy Hash: 4bf8c3e06e125019cc28075f44cd85383120c8b00b071029927c52c99f19c43b
Instruction Fuzzy Hash: A4B2EAB4A00325CFDB24CF29D8407AABBB1FF45304F2486ADD599AB741D735A982CF84

Function 00423386 Relevance: 24.8, Strings: 19, Instructions: 1050COMMON

Download Yara Rule

Strings

0', xrefs: 004238DA
mlkj, xrefs: 004242F5
;l9n, xrefs: 004234E8
JG, xrefs: 004236C8
wp, xrefs: 004236BE
1h/j, xrefs: 004234E1
xM`O, xrefs: 004239CF
EG, xrefs: 004236D2
8:, xrefs: 00423839
&:, xrefs: 004238C5
A/6Q, xrefs: 00423B2D
:<, xrefs: 004238CC
&t6v, xrefs: 004234DA
&:, xrefs: 0042397E
wp, xrefs: 004237DD
=_%A, xrefs: 00423B49
,p&r, xrefs: 004234D3
<[5], xrefs: 00423B42
>E, xrefs: 004238D3

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: &t6v$&:$&:$,p&r$0'$1h/j$:<$;l9n$<[5]$=_%A$>E$A/6Q$EG$JG$mlkj$wp$wp$xM`O$8:
API String ID: 0-611813272
Opcode ID: ff2a99c19f9b840e95b2d17971a0ad3f292e750e1885d5819587218073c6286e
Instruction ID: b882ab932fa44272eea2bbe9296e9b6344ed88f024d6a465cc22b9f2988137a7
Opcode Fuzzy Hash: ff2a99c19f9b840e95b2d17971a0ad3f292e750e1885d5819587218073c6286e
Instruction Fuzzy Hash: 3292CAB5A00725CFDB24CF25D8806AABBB1FF45304F2485ADC59A6F752D735A882CF84

Function 00419620 Relevance: 13.6, APIs: 2, Strings: 5, Instructions: 1312COMMON

Download Yara Rule

APIs

Part of subcall function 0043A5B0: LdrInitializeThunk.NTDLL(0043C8CB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A5DE

FreeLibrary.KERNEL32(?), ref: 00419CAA
FreeLibrary.KERNEL32(?), ref: 00419D2B

Strings

mlkj, xrefs: 0041967A
mlkj, xrefs: 0041A4ED
J/h, xrefs: 00419B64
mlkj, xrefs: 00419BBA
Wu, xrefs: 00419CAA, 00419D2B

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: J/h$mlkj$mlkj$mlkj$Wu
API String ID: 764372645-1318733947
Opcode ID: 64b866459d3efd96d91c01d890908a9db4bf1cc0fc2684fdae2d024f71781d6d
Instruction ID: 9d079e2a3d689fb2d695da07dff0836209dff4b8f771087d1f1530ec48afe32a
Opcode Fuzzy Hash: 64b866459d3efd96d91c01d890908a9db4bf1cc0fc2684fdae2d024f71781d6d
Instruction Fuzzy Hash: E99235396093409AD315DF21C890BBFBBE2EBD6704F24882EE2C557352DB799C45CB46

Function 00430740 Relevance: 9.2, APIs: 6, Instructions: 153clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00430762
GetClipboardData.USER32 ref: 00430783
CloseClipboard.USER32 ref: 00430910

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: ed22625543cd6cbe4c61938bd6270a151eadf7f901f5a69968a458354b63d413
Instruction ID: cd77b6b86ea3fad057bcf2ce912058e653a7b26ec882016760a9a5dd3841588a
Opcode Fuzzy Hash: ed22625543cd6cbe4c61938bd6270a151eadf7f901f5a69968a458354b63d413
Instruction Fuzzy Hash: B75124B2D08A918FE700AB78C84935ABFE1AB45300F05867DD89997382D37899588BD7

Function 0042262A Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 329COMMON

Download Yara Rule

Strings

stu, xrefs: 00422ADC
|C, xrefs: 004227B5
pr, xrefs: 004227AE
pr, xrefs: 00422796

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: pr$pr$|C$stu
API String ID: 0-3781844917
Opcode ID: 41d49a1763fe52469dcbf448ad62cd4b7ca4673945f29148586fff256c62a002
Instruction ID: 01b159c211fb57ca204574ba1aee21575a8bb29d263262e542e5f43b0d0d8542
Opcode Fuzzy Hash: 41d49a1763fe52469dcbf448ad62cd4b7ca4673945f29148586fff256c62a002
Instruction Fuzzy Hash: FDB1BBB5A00216DFCB00CF54D9816AABBB1FF4A310B1882A8D844DF356E3B8E951CFD5

Function 004223EF Relevance: 8.9, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

(&B, xrefs: 00422622
EF, xrefs: 00422432
B>\0, xrefs: 00422535
,N;@, xrefs: 00422551
P2O4, xrefs: 0042253C
t6GH, xrefs: 00422543
BfD, xrefs: 00422558

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: BfD$(&B$,N;@$B>\0$EF$P2O4$t6GH
API String ID: 0-3638485462
Opcode ID: 3bfa644d511106c29585e5997b5b16d3f54ad53c9b6297e5ebb30188e6e4366f
Instruction ID: d3488ee24b6fb1c2b90eccc6e9cd5233fee36bd8583c441fe1e3a9afb2e27a03
Opcode Fuzzy Hash: 3bfa644d511106c29585e5997b5b16d3f54ad53c9b6297e5ebb30188e6e4366f
Instruction Fuzzy Hash: 77512971D002209FDB15CF68C89166BBB72EB82310F66816CE815BF795DB758C02CBD9

Function 0041709A Relevance: 8.4, Strings: 6, Instructions: 932COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00417477
mlkj, xrefs: 004170F5
m, xrefs: 004177AA
mlkj, xrefs: 00417655
mlkj, xrefs: 0041735A
mlkj, xrefs: 004179F3

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID: m$mlkj$mlkj$mlkj$mlkj$mlkj
API String ID: 2994545307-3608166878
Opcode ID: bf0c6fe6ac3fd079f3363a373944b5e6a258b3e08f63ba39d0d4d6a9a5e4bb28
Instruction ID: 3d83204929475d2243f35793712f265c1150c7b3cc80a7e3b3cdd320ce48e554
Opcode Fuzzy Hash: bf0c6fe6ac3fd079f3363a373944b5e6a258b3e08f63ba39d0d4d6a9a5e4bb28
Instruction Fuzzy Hash: 0432293960C2409FD715CF24C8506BFB7E2FF9A304F28492EE5C697252DB389942CB99

Function 004365C0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

mlkj, xrefs: 0043665A
BhC, xrefs: 00436834
"#d, xrefs: 004365C2
fC, xrefs: 004366D6

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: BhC$mlkj$"#d$fC
API String ID: 0-1588649497
Opcode ID: 0a951961818f4deef2a5dc80d74dd1fd7fba13dcb5c6d0f204d6eeafbeb5e776
Instruction ID: 01b69275c66d40f68532354ebb2a4c5dcc00f28d52a01c540a03275d902fae9a
Opcode Fuzzy Hash: 0a951961818f4deef2a5dc80d74dd1fd7fba13dcb5c6d0f204d6eeafbeb5e776
Instruction Fuzzy Hash: 1D515575208301ABE7149F29DC92B6FB7E1EB8A308F04983DF58087382D7799C15D766

Function 0041F990 Relevance: 4.2, Strings: 3, Instructions: 471COMMON

Download Yara Rule

Strings

*+, xrefs: 0041FD0E
]5R7, xrefs: 0041FA90
Z9:;, xrefs: 0041FA9B

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: *+$Z9:;$]5R7
API String ID: 0-1782461210
Opcode ID: 18317f73d4b20812587b15f1d8e783b2e86799ef8bff05252d0e068513a8142b
Instruction ID: f3e337a824cacc6ba73b64c2a0d4bdd9619d61f0da174fd01dd171e9017f99f7
Opcode Fuzzy Hash: 18317f73d4b20812587b15f1d8e783b2e86799ef8bff05252d0e068513a8142b
Instruction Fuzzy Hash: CDD105715083018BD728CF25C8926ABB7F2FFD2350F19992DE4C58B394E7789849CB86

Function 0043D8A0 Relevance: 4.1, Strings: 3, Instructions: 322COMMON

Download Yara Rule

Strings

, xrefs: 0043DACF, 0043DB36
, xrefs: 0043D968, 0043D9D7
=?, xrefs: 0043D8A0

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: =?$$
API String ID: 0-4187781974
Opcode ID: 912699e5b5a83eda740f84456a48b7eea04782f4ff5260ae1e234fab1a7b3f9b
Instruction ID: 02130b947a74d38fc6f31402f909bc89a173168320cded222b6466677b06a2ff
Opcode Fuzzy Hash: 912699e5b5a83eda740f84456a48b7eea04782f4ff5260ae1e234fab1a7b3f9b
Instruction Fuzzy Hash: 17913431A083008BD718DE28E89157FB7E2EFDA310F15993EE59687391D739E806CB56

Function 0042843A Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

mlkj, xrefs: 004287BA, 0042852B
r, xrefs: 00428625
[^, xrefs: 0042861E

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: [^$mlkj$r
API String ID: 0-1669103348
Opcode ID: 21e9d6ce220200bc9f185d709e92f6d5e6c3a4ce1628005c404ebdc8a80ffc3a
Instruction ID: ef4a1bd29f2b91fadf10b969bcbb7c19a58179f01bb9ca66c101a2bf60e5b683
Opcode Fuzzy Hash: 21e9d6ce220200bc9f185d709e92f6d5e6c3a4ce1628005c404ebdc8a80ffc3a
Instruction Fuzzy Hash: C2B1027560D380DFD3049F28D89162EBBE2AF9A315F68896DF1C5873A1DB399940CB06

Function 00414DB0 Relevance: 4.0, Strings: 3, Instructions: 298COMMON

Download Yara Rule

Strings

PA, xrefs: 004150AC, 004150B6
bQA, xrefs: 0041515C, 004154F7
mlkj, xrefs: 00415125

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: PA$bQA$mlkj
API String ID: 0-4187677057
Opcode ID: 61665537f678a7279439f67486d301fc68e7e742a4c3ab9a55f07ac3181458a1
Instruction ID: 75354251b3903ef5e4615d9cd6dee5b584e0579d9b4b5e89aefee9135f14cca8
Opcode Fuzzy Hash: 61665537f678a7279439f67486d301fc68e7e742a4c3ab9a55f07ac3181458a1
Instruction Fuzzy Hash: 2A91E074908340DBD7209F14D891BABB7B4FFD6354F144A2DE4C98B391EB789981CB8A

Function 00408E70 Relevance: 4.0, Strings: 3, Instructions: 269COMMON

Download Yara Rule

Strings

t, xrefs: 00408ED3
c, xrefs: 00408E98
|x, xrefs: 00408E91

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: t$c$|x
API String ID: 0-1736779163
Opcode ID: b29248f8861ec8d9f9602d0609553e13db4ca6b245818f8b3d2a13e52ec70524
Instruction ID: 2d2eb292849ed74914c57985dfe7e563ba50c5517b571c60e4d6b76e5462cd37
Opcode Fuzzy Hash: b29248f8861ec8d9f9602d0609553e13db4ca6b245818f8b3d2a13e52ec70524
Instruction Fuzzy Hash: 3C61946110C3828AD7058F79849036BFFE19FA3244F1844AEE4D5AB383C77AC909C76B

Function 0042A972 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042AA68

Strings

Wu, xrefs: 0042AA68

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: 9876d0f5205f503ac3b31147c4fe603824ae2b152544d7ed90e633a4cdd92e7e
Instruction ID: e22133d68aded2852b0909aadde07a96b9d846834dfa351e4256db85230899c3
Opcode Fuzzy Hash: 9876d0f5205f503ac3b31147c4fe603824ae2b152544d7ed90e633a4cdd92e7e
Instruction Fuzzy Hash: C3E1F43060C3E18BDB358F2594507BBBBE2AFA7304F48499DD4D99B282D7394505CB57

Function 00427040 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

Y{|=, xrefs: 0042716D
Trst, xrefs: 0042706A
Y{|=, xrefs: 004270B8

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: Trst$Y{|=$Y{|=
API String ID: 0-3553150240
Opcode ID: e1208d81fc8c85d3d270f4aa6328560ffbfdb63ed79d86d8aed19965aa8dd395
Instruction ID: 82f041ac4fb129b52d92bc4e0e622a48d078b5b731897c74e1898028a5a03c1e
Opcode Fuzzy Hash: e1208d81fc8c85d3d270f4aa6328560ffbfdb63ed79d86d8aed19965aa8dd395
Instruction Fuzzy Hash: FC314EB3B883524FD314CE6A9CC175BB6A6EBC2310F19853DDC94DB2C8C978C9098796

Function 00439340 Relevance: 3.2, Strings: 2, Instructions: 680COMMON

Download Yara Rule

Strings

mlkj, xrefs: 0043937B
f, xrefs: 004395E5

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID: f$mlkj
API String ID: 2994545307-4173456272
Opcode ID: aebeac2f28ea62f0a92b7820442da45eb91bc90caa3fa21c9929503bd5f20411
Instruction ID: 4c64b292961e85984e0260191e1ac676076537f22ceb86e998aa14a7ac434346
Opcode Fuzzy Hash: aebeac2f28ea62f0a92b7820442da45eb91bc90caa3fa21c9929503bd5f20411
Instruction Fuzzy Hash: E82205766093408BD718DF28C89072FB7E2EBD9304F18992EE59287391DBB89C01CB46

Function 00415538 Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

mlkj, xrefs: 004156BA
K, xrefs: 00415544

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: K$mlkj
API String ID: 0-1140061560
Opcode ID: 1d6bfe0ade3e1b2936bbf3a4a242d8750284956ea84133ede389f664190fa359
Instruction ID: 363b53c9c5521adcf3d900203d92a6946cf5d5463fdaac247f25277884d8064d
Opcode Fuzzy Hash: 1d6bfe0ade3e1b2936bbf3a4a242d8750284956ea84133ede389f664190fa359
Instruction Fuzzy Hash: B6B14675508340CFD3219F28C8917EBBBE1EFDA304F14896EE5C997292CB789881C74A

Function 00438F60 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00439150
F\9B, xrefs: 00439003

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID: F\9B$mlkj
API String ID: 2994545307-2714594616
Opcode ID: 3365063483bee2ac306583c2baf79b07bbbbcb7d26c5fae637048a05ab631897
Instruction ID: be976f136087c75d3cc836e5c26e94b7e2ecf4e77cd8df77255cab527dcbf281
Opcode Fuzzy Hash: 3365063483bee2ac306583c2baf79b07bbbbcb7d26c5fae637048a05ab631897
Instruction Fuzzy Hash: 43716936B143009BD7188E28C8D063FB792EBD9314F19993EE9C697352CB789C01C785

Function 0043CA90 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

0?>=, xrefs: 0043CB87
@, xrefs: 0043CB69

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID: 0?>=$@
API String ID: 2994545307-767217726
Opcode ID: dfbfa5e810cbc1c442dc0c28e40b056708b57764c4ead53dd122222ae65697b0
Instruction ID: 3a77c6d0a17759d827a259e03f83c43c51df96955c699b532ce1594c11df6c84
Opcode Fuzzy Hash: dfbfa5e810cbc1c442dc0c28e40b056708b57764c4ead53dd122222ae65697b0
Instruction Fuzzy Hash: EF412A71A043118BD714CF24DC9236BB7E1FF89328F15952DE499A73D0E739AC05878A

Function 0043A8FB Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

_@A, xrefs: 0043A92B
@, xrefs: 0043A9FD

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: @$_@A
API String ID: 0-2073229136
Opcode ID: 4f7b69d8f459d49f217a57f0a9a55fb221073e2a755645ee80ce746e9e99b0b7
Instruction ID: 20cebdbf30a446673fd44ee1294e223774585645bfe6c1c4e55d4a684f4df4ae
Opcode Fuzzy Hash: 4f7b69d8f459d49f217a57f0a9a55fb221073e2a755645ee80ce746e9e99b0b7
Instruction Fuzzy Hash: FE41B3B66583518BD704DF29C45032BB7E2FFC9314F55692EE0C297390EB789906C74A

Function 00426E19 Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

l.ez, xrefs: 00426E4B
dgX`, xrefs: 00426E43

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: dgX`$l.ez
API String ID: 0-4200491131
Opcode ID: 38976c6c8fd57b5a5dff2b82f354488d86fc6c5a4443b8711867c831509930f6
Instruction ID: 16014e50947f795ab7f1ded1fd4c39bf1763ff48be5190231d3e76ef80b60e05
Opcode Fuzzy Hash: 38976c6c8fd57b5a5dff2b82f354488d86fc6c5a4443b8711867c831509930f6
Instruction Fuzzy Hash: F61129B2B243104B83188F39895246BBBE6FBD4714F55AA2EF485D72D5DA34C9018B4A

Function 00414713 Relevance: 1.8, Strings: 1, Instructions: 548COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00414D24

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: mlkj
API String ID: 0-2192308396
Opcode ID: d6f4f0f47d0673255fa7c80862eee9c0296267c3ab75495d4f089d34b48a5d4e
Instruction ID: 4fda0442eaf16cfdb58ee7ca0d9d32f6ef43eb6d31cc4f2186888d54ac4ebee6
Opcode Fuzzy Hash: d6f4f0f47d0673255fa7c80862eee9c0296267c3ab75495d4f089d34b48a5d4e
Instruction Fuzzy Hash: 1BF1F0B8618200EBD7189F28EC51A7F77A2FBC7314F24453DF68157292DB389851CB9A

Function 004212C0 Relevance: 1.7, Strings: 1, Instructions: 461COMMON

Download Yara Rule

Strings

"#d, xrefs: 004214A6

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: "#d
API String ID: 0-3839902168
Opcode ID: 431ceed54ffb1d3f46aeeef6a6bb40c873e136908d924a7128e289b97741c2a5
Instruction ID: 73157a7711d009bcd06f5a510306ba94cc0283347fa46c6717ba919988dfc8bc
Opcode Fuzzy Hash: 431ceed54ffb1d3f46aeeef6a6bb40c873e136908d924a7128e289b97741c2a5
Instruction Fuzzy Hash: CEC15872B043209BD314DF25D88266BB3E1EFE1354F59842EE88697391E37CE945C39A

Function 00429360 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

", xrefs: 0042965F

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: a7395462c9b40f9162520095ee9b70401cb9ea7387a0b8a66ee37d5f957aa6c6
Instruction ID: 7d1bc372287bb8c994caa66a517cec1fc081287e66e1cf6493d1feff302a8634
Opcode Fuzzy Hash: a7395462c9b40f9162520095ee9b70401cb9ea7387a0b8a66ee37d5f957aa6c6
Instruction Fuzzy Hash: 9EC13872B08320AFD725CE24E49076BB7E5AF85310F58892FE89587381E738DC45C79A

Function 0041C5E0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

ab, xrefs: 0041C6CE

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: ab
API String ID: 0-2659403885
Opcode ID: 097a1a3a8c462d721d3d44d4419dfd969d492c84c4daff575817181de5b309e7
Instruction ID: 18a04c35ed4d055262d839cc3bc541f9bc32cc4e9ff1edb58925424a302bf1d8
Opcode Fuzzy Hash: 097a1a3a8c462d721d3d44d4419dfd969d492c84c4daff575817181de5b309e7
Instruction Fuzzy Hash: 77A110B55483128BC724DF28CC917ABB7F1EF81354F08991EE8859B391E738DA44C79A

Function 00426608 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000), ref: 004266BC

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c3d77a51a5f6ac69ea97a28b7c8e6bea60132e31677e8a2b4b91c57e8b71647e
Instruction ID: 1b8f04ddaa5814a6cbb5ade05a88a5c9b4ece9b3b63a2574100f9b476be69e6c
Opcode Fuzzy Hash: c3d77a51a5f6ac69ea97a28b7c8e6bea60132e31677e8a2b4b91c57e8b71647e
Instruction Fuzzy Hash: E201B1B4A1D3A48AD334CFB4A84136FBAF0FB81300F51981DD0DDEB245CA3594029B4B

Function 00408230 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

-, xrefs: 0040850B

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 6a03b1d3bde38c1db3f5bd674179172993d6ab1c2bf14e658b0dfc265fd588fb
Instruction ID: 97bb20b4423c03195d9428c2b8de4988cd920e3b223c330c98d7dc07d578709b
Opcode Fuzzy Hash: 6a03b1d3bde38c1db3f5bd674179172993d6ab1c2bf14e658b0dfc265fd588fb
Instruction Fuzzy Hash: 1E813C72E046524BC7188D39CA5426BBBD29BC1720F19897EE8D6E73D5FD3CCC054689

Function 0041CA02 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

;*y, xrefs: 0041CB12

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: ;*y
API String ID: 0-1171459767
Opcode ID: c05d3b309990d23b44ea14d2579969a94c6e8c974d91ccb97fd8ea8654ed1f58
Instruction ID: d1ae164922366f481b42436806e994f6f9cb586779525998b75cff8917e7baf9
Opcode Fuzzy Hash: c05d3b309990d23b44ea14d2579969a94c6e8c974d91ccb97fd8ea8654ed1f58
Instruction Fuzzy Hash: 1751257194C3108BD710DF24E8512ABB7F1EF96344F14882EE8C5AB351D335EA05CB8A

Function 0041CA19 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

;*y, xrefs: 0041CB12

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: ;*y
API String ID: 0-1171459767
Opcode ID: b7e6639f8d68430d2013f887c9a0e29467e1d0de2b1894ed87235bfaef55bab7
Instruction ID: 4a8378923a10179abfdcf8d4f58d01a5422faef1167b437de3f3b72c7bfba7ef
Opcode Fuzzy Hash: b7e6639f8d68430d2013f887c9a0e29467e1d0de2b1894ed87235bfaef55bab7
Instruction Fuzzy Hash: 1951157194C3108BD710DF25E8512ABB7F1EF96344F14882EE8C5AB355D339EA05CB9A

Function 0041B7C6 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

#^ZH, xrefs: 0041B985

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: #^ZH
API String ID: 0-3451035658
Opcode ID: efd50c707f85ec63e43ab912c9c3ac510af843228c4a8d67cece31423f7e249c
Instruction ID: 6e53c36a4cde5bd5420cabef97eb07ffa3a372199de788684453f48dba085fa0
Opcode Fuzzy Hash: efd50c707f85ec63e43ab912c9c3ac510af843228c4a8d67cece31423f7e249c
Instruction Fuzzy Hash: 925168B16083048BC715CF29C8927A7BBF2EFDA314F18855DE5C24B3A1E7788846C786

Function 00429820 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 00429A1E

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: b9f92e753ab11b02b4db420d9e8affd654e3e3fea257bc5cec012aafe12283da
Instruction ID: 930dfd45b4fa2bec9642a4af3bcb41e6d4051c7e6577fd2267599b9fd59d8c3c
Opcode Fuzzy Hash: b9f92e753ab11b02b4db420d9e8affd654e3e3fea257bc5cec012aafe12283da
Instruction Fuzzy Hash: F771F532B183754BD714CE2CE48032FB7E2ABC6710F99856EE4989B391D279DC45878A

Function 004162D6 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

mlkj, xrefs: 0041637A

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: mlkj
API String ID: 0-2192308396
Opcode ID: bdd2853d5377ef34e8c20968da51bd23097842b2cd0ad12fa34c3e0e85bafc46
Instruction ID: f8ae5d8343d9b1aa80c9852a5fe2960d14e2f68844d95912e96eaca9d7732302
Opcode Fuzzy Hash: bdd2853d5377ef34e8c20968da51bd23097842b2cd0ad12fa34c3e0e85bafc46
Instruction Fuzzy Hash: 6F4116396082009BC324CF2498916BFB3A2FB9A314F6A853DD58687252DF74E842875E

Function 0042B7AD Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

mlkj, xrefs: 0042B8C5

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: mlkj
API String ID: 0-2192308396
Opcode ID: a6398e2ece7ed8a6015c5fde91152c587f0ef1711e00323671c57743c533801c
Instruction ID: 6256f8090b9ba9f9775beeb535e844044b5f4af6feefb02fc07166a1e1a94ef9
Opcode Fuzzy Hash: a6398e2ece7ed8a6015c5fde91152c587f0ef1711e00323671c57743c533801c
Instruction Fuzzy Hash: 293107757083E08BD7289F28986177BF7E3EFC6304F68052DC5C597252D7395801878A

Function 0040C6E5 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

kl, xrefs: 0040C735

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: kl
API String ID: 0-2211745248
Opcode ID: 8eef09741816d59fef0a0aa15018137c013723f26d4b133034aec7d0f0116a43
Instruction ID: c18b8bdec8ff84d112db47bc58101b3ccbc2a492019f1cc289826d93695c47a4
Opcode Fuzzy Hash: 8eef09741816d59fef0a0aa15018137c013723f26d4b133034aec7d0f0116a43
Instruction Fuzzy Hash: A541DB7821C3428BC708CF64C85167BBBE2EF86305F04896DF4969B390E7398902CB1A

Function 0043CE10 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

0?>=, xrefs: 0043CE35

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID: 0?>=
API String ID: 2994545307-3891647100
Opcode ID: 491e2af22c404aa182339118d37bafd851c3d795977766d08b3484434e46fbd2
Instruction ID: ab13e43bc54a80428253f27eee9ef5cca8e65680e571e1142b06ff47657a74f2
Opcode Fuzzy Hash: 491e2af22c404aa182339118d37bafd851c3d795977766d08b3484434e46fbd2
Instruction Fuzzy Hash: 5031F934708300ABE7109B64DCD1B3BB7E5EB8A714F24692EE685772D1D638EC11874A

Function 00427C3A Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00427C50

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: mlkj
API String ID: 0-2192308396
Opcode ID: 7ffbc5b011448d8b76049ad0d55a926e67812119236ecc73dedc71b742fd3438
Instruction ID: 2a8ffe774288475bb00133809967ebd477ab4145f046e2390917428ed8cd07ca
Opcode Fuzzy Hash: 7ffbc5b011448d8b76049ad0d55a926e67812119236ecc73dedc71b742fd3438
Instruction Fuzzy Hash: 1A012231649214CBC70C9F20EC2453FB372FB82324F64042CE64213651D73DAE159B8D

Function 0043B3E5 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

Rf$%, xrefs: 0043B400

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: Rf$%
API String ID: 0-3069614662
Opcode ID: cfe836549f02e627f3b2c11d7aa07307bad81d50d039852b202a3dd3900c5905
Instruction ID: 79ae638c88d335b37b7fbcc31bff9f4ebf7454de2760e629d9247117e01224e7
Opcode Fuzzy Hash: cfe836549f02e627f3b2c11d7aa07307bad81d50d039852b202a3dd3900c5905
Instruction Fuzzy Hash: 8D11047BB299128FC310DE29DD8485AB7E3A7C9204F1A8538C9C8A7316DA70F90586C1

Function 0040A539 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

[`^, xrefs: 0040A539

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID: [`^
API String ID: 0-1988497175
Opcode ID: ee180b808a7f4dec641293872c88d023af803cec24664664176417d5ab8da20f
Instruction ID: e941a6215c83bcaa0aa8c79c5d33efb549c11c324bfc375e59b352c9aad200a8
Opcode Fuzzy Hash: ee180b808a7f4dec641293872c88d023af803cec24664664176417d5ab8da20f
Instruction Fuzzy Hash: 94B09238A48100878288CF05F991470A238A327204F0930288416E3271C520E8508A0C

Function 0043BD10 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bff0d3a1fba5e2fdb066276e7b3ec1bdbf4ba380aa7c3bf4b6c127a601a807d
Instruction ID: cbc344237ec0f91119d97fc87e086ffb8153f3521390e37c44962f25c05f2320
Opcode Fuzzy Hash: 1bff0d3a1fba5e2fdb066276e7b3ec1bdbf4ba380aa7c3bf4b6c127a601a807d
Instruction Fuzzy Hash: 2112E43AA18611CFCB04CF28E89066AB3F2FB8E315F19847DD98A97352D7349945CB85

Function 0042A96A Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29069653d1576b781a6dad65962dbb8635d68ca22303e45bf67318e77b03a49
Instruction ID: 2c477084993a33088d37bba3f059407362ccd068a9f5619b0dce89a35010763c
Opcode Fuzzy Hash: f29069653d1576b781a6dad65962dbb8635d68ca22303e45bf67318e77b03a49
Instruction Fuzzy Hash: 95E1052164C3E18BD7358F2984903ABFBD2AF97300F48496ED8D99B382D7398416C767

Function 004142E0 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea9208d1a23c046d84d2bb213fb1603c31a3af0dd8612dfb0bf0a8534fd0a12
Instruction ID: 950baa307ef61fac1b8db86c963ccc7695260a2fe503ce085870ef768e3eb019
Opcode Fuzzy Hash: dea9208d1a23c046d84d2bb213fb1603c31a3af0dd8612dfb0bf0a8534fd0a12
Instruction Fuzzy Hash: 35A144B15083048BC7249F28D8926BBB3E1EFD6318F18492EE9D28B391F7789945C756

Function 0041895F Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f6e9b40e9f7719d3893cef25ecc5d4a19804311d22bf1d2d0af2f61b9ba396
Instruction ID: a04235477dfd1905a4e4d199bb24443ee7e97cba45d900153b2cddd32c85e83a
Opcode Fuzzy Hash: 72f6e9b40e9f7719d3893cef25ecc5d4a19804311d22bf1d2d0af2f61b9ba396
Instruction Fuzzy Hash: 119113769083518BC325CF24C8913E7B3A1EF95310F1A8A6ED8C65B341E779AC86C785

Function 00438B00 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5daf988480bef6507c944e16cc69d0a76988bf7e68d426b1ec236d4bcf4a494
Instruction ID: 1b58c5da0586d747452119d26138aba55f765d0aa29837898ddae360bc2baaf1
Opcode Fuzzy Hash: e5daf988480bef6507c944e16cc69d0a76988bf7e68d426b1ec236d4bcf4a494
Instruction Fuzzy Hash: 1B516C76B093104BD7149B24DC8073BF7A2DBDA714F29952EF5C55B382DE38AC02879A

Function 0040D1C7 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b020dff436126f13a45bc76c1d90e54a1ffaf932253cade2f2c65d24420f2d45
Instruction ID: 2548437cb788fda130431fa846b8285ec5ffb5a1cbf8007a768b5723d1372b6f
Opcode Fuzzy Hash: b020dff436126f13a45bc76c1d90e54a1ffaf932253cade2f2c65d24420f2d45
Instruction Fuzzy Hash: E0513576A146408FDB28CF39CCA17777BE2AF96314B09C47DD486DB396DA38E8058718

Function 00429EF8 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beaa726a5c164c45a66496a8e4e65921f43a608172d3fe0f57dda7d7f91ae491
Instruction ID: 8ba95efc9c89ef4b5b85eab29e0d9da9418972fd80a367163851d2d11555653c
Opcode Fuzzy Hash: beaa726a5c164c45a66496a8e4e65921f43a608172d3fe0f57dda7d7f91ae491
Instruction Fuzzy Hash: 40519B217083618BD7298E2894E16777782DF96320F9D826EDD924B7C6D22D8C0AD35F

Function 0040D7B4 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab07bd7374c9644cbdaab8c64895e8949f8c4aa7d4ff5c3097d6b13f0e5c95aa
Instruction ID: 369512d6cd64a1d2e75d4d8eea207855d8f5bf0779b2a0c03d1f4b62fe1367ff
Opcode Fuzzy Hash: ab07bd7374c9644cbdaab8c64895e8949f8c4aa7d4ff5c3097d6b13f0e5c95aa
Instruction Fuzzy Hash: 3A41387AB406005BD615BB629C9263F7362EFD2718F18403EE586273C3DA7CAC06C65E

Function 0040E2CF Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1b313cfdca29bf762e69fe9ba82f988d5cd95722a07fd2e3347f515b1d9d594
Instruction ID: 9afa4ba34189d19040924469891e76fb8a19db82670bd477210c0f96206c9e3a
Opcode Fuzzy Hash: e1b313cfdca29bf762e69fe9ba82f988d5cd95722a07fd2e3347f515b1d9d594
Instruction Fuzzy Hash: EB41073C3866008BC3298F65C8E147677A3EFAA714B68497ED6D647396C77CAC068B04

Function 004263C1 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9db21ea2459aacfe3a3d3b1aa1a2a1c2eee496ed6365abe069c39768aa62438
Instruction ID: 579d5b16ce76587613173f82801bceac228f5e4c9074940ca599c847a85a22e7
Opcode Fuzzy Hash: c9db21ea2459aacfe3a3d3b1aa1a2a1c2eee496ed6365abe069c39768aa62438
Instruction Fuzzy Hash: 2041F3B56083908FD320CF64A84072FB7E1FBC5719F550A3EE99497281DBB999018B87

Function 0042CAFB Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f011ef72fb0e4d80f3df78356447a2e8c7ac61ee246e1c4ceb3eac49e17043b
Instruction ID: 2c4be59617bd8084c6380483bf84402a8e148dc7db8bb65383c66ae7aec9e4f3
Opcode Fuzzy Hash: 8f011ef72fb0e4d80f3df78356447a2e8c7ac61ee246e1c4ceb3eac49e17043b
Instruction Fuzzy Hash: EA5107B0504B41AFD360CF39C849797BBE5AB4A320F144A2DE4AE87791D735A405CB96

Function 0040D555 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2187eb72e3f1fabe01e89da4775b33a08bdca3b004236166017210bfdd80ef90
Instruction ID: 1a66bd1616f0fa654ce8f5075db046d6039c731cc7750fa1f0b8b03088e58b95
Opcode Fuzzy Hash: 2187eb72e3f1fabe01e89da4775b33a08bdca3b004236166017210bfdd80ef90
Instruction Fuzzy Hash: A3312A38B451009BD7298F94CCE15373793EB96318B28447EDA86573D6E73D9C0A8719

Function 00428160 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190d90955352593323db0f56454822f256c104e9dfa138d748ba594f875f77b0
Instruction ID: c57d5ca269c73b3d3c66bbe4e0c938deb45da70e2ab25e960f0692798ea24c4c
Opcode Fuzzy Hash: 190d90955352593323db0f56454822f256c104e9dfa138d748ba594f875f77b0
Instruction Fuzzy Hash: F841F2B02083958FE7108F65A851B5FBBE4FB86B08F110A2DF695AB281C775D501CB5A

Function 0040E39C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d561d4e577aff4640db6ca9fbe7bd82333474a9ca084f160fe617a8ed1355885
Instruction ID: ec3ee4965a29eb483853914e20d359d8bcf43fe9425c406f081e20217d719906
Opcode Fuzzy Hash: d561d4e577aff4640db6ca9fbe7bd82333474a9ca084f160fe617a8ed1355885
Instruction Fuzzy Hash: BC3138386015019FD32A8B25CCA1A377BE2FF56319F68482DD582933E2D77C6C629B49

Function 0040D076 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f0c4b9b66733849db2b9eed23813e3a150c713e6f3eaeb56fab0d21798eb86
Instruction ID: 79f7f4e77dd58a5f7dbbefa30f094a47f5f7a03851a7117380f377ae6b24f0aa
Opcode Fuzzy Hash: e8f0c4b9b66733849db2b9eed23813e3a150c713e6f3eaeb56fab0d21798eb86
Instruction Fuzzy Hash: 94312477A107424FC329CB39DC91596B7A3ABC2310319C27DD46693265EF75B426C688

Function 0040CF45 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4de3338a2442dd23b6bd7fb609e32885e1a11ea140783a8bb1cbdd605c20c9f2
Instruction ID: 050fa42124f3f46daf63cd84828b6a551105945dc7ffe3fba68fcf268175474a
Opcode Fuzzy Hash: 4de3338a2442dd23b6bd7fb609e32885e1a11ea140783a8bb1cbdd605c20c9f2
Instruction Fuzzy Hash: 2B313838385200CBD7288B10CCE16363763EFA6308F64067ED686173D6C77C5C02871A

Function 00438EB0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63fb9cee1c707cdd71164ab7743c8b2674dd602464fccd4c8551d01dce07b2dd
Instruction ID: 7d8941836eb4d0cf5520391c3f6c38068f252d5ccd935eeb22236d54b4864dbe
Opcode Fuzzy Hash: 63fb9cee1c707cdd71164ab7743c8b2674dd602464fccd4c8551d01dce07b2dd
Instruction Fuzzy Hash: A91108367093005BD7209E55DCC063BB657EBDA728F39947EE68417305CF788C018299

Function 00432A90 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f0207f3c175e2f7eb559bac18a9e1e4a6c989109a7ad96abab0491fcbda2b84a
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2D112933B041D40FC3268D3C8500566BFA31BA7234F19539AF4B5AB2D6D6668D8B9359

Function 00428D00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63add9a230e6399eef33deb58eff72e030b1abb6b7467dd7d6058bd84563484d
Instruction ID: c2c3caa4eba607ec02c24ce6c21b5f2ee30797fa55a3adfe5fab05ac86fb0ebd
Opcode Fuzzy Hash: 63add9a230e6399eef33deb58eff72e030b1abb6b7467dd7d6058bd84563484d
Instruction Fuzzy Hash: FB0192B6B1231157D7209E11B4C172FB2A96F60708F58443ED50457381DF79FC098699

Function 0040DE8A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679be5f6d1f31ba29d0a74b45fcde3079020cd3336088093b56d30cd2d2498de
Instruction ID: c20b345d2cbb7f8d38f0c13a4f6f8d7af336a0a686749e904e92d4a46460b2dd
Opcode Fuzzy Hash: 679be5f6d1f31ba29d0a74b45fcde3079020cd3336088093b56d30cd2d2498de
Instruction Fuzzy Hash: 5CD067E9D40001679206A712BC9397B61394A9364CB44103DF907A6362FB29B159555F

Function 0042FE43 Relevance: 40.4, APIs: 1, Strings: 22, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042FEE7

Strings

&, xrefs: 0043002D
(, xrefs: 0042FFBD
%, xrefs: 0042FF75
4, xrefs: 0043009D
=, xrefs: 0042FF65
<, xrefs: 0043005D
", xrefs: 0043000D
, xrefs: 0042FFFD
$, xrefs: 0043001D
0, xrefs: 004301A4
,, xrefs: 0042FFDD
>, xrefs: 0043006D
0, xrefs: 0043007D
8, xrefs: 0043003D
?, xrefs: 004300D5
1, xrefs: 0042FF85
6, xrefs: 004300AD
., xrefs: 0042FFED
2, xrefs: 0043008D
*, xrefs: 004300C5
*, xrefs: 0042FFCD
:, xrefs: 0043004D

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: AllocString
String ID: $"$$$%$&$($*$*$,$.$0$0$1$2$4$6$8$:$<$=$>$?
API String ID: 2525500382-2072951861
Opcode ID: 0b754370f19d75ca4a4469516617a9b083c273429195c99349636bdfe6cac11f
Instruction ID: 8e19ecaa8da9712f0609904da2e2b4264d0ae9bc6d115a7079b4a0c076594083
Opcode Fuzzy Hash: 0b754370f19d75ca4a4469516617a9b083c273429195c99349636bdfe6cac11f
Instruction Fuzzy Hash: 08A1382160C7D18AE336C63C984879FBED16BE7224F084BAED4E85B2D2D3B54506C767

Function 0042F4F2 Relevance: 33.3, APIs: 1, Strings: 18, Instructions: 76COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0042F53F

Strings

M, xrefs: 0042F5A0
`, xrefs: 0042F564
y, xrefs: 0042F58C
(, xrefs: 0042F5D2
', xrefs: 0042F5CD
C, xrefs: 0042F5B4
r, xrefs: 0042F578
h, xrefs: 0042F596
P, xrefs: 0042F5BE
%, xrefs: 0042F5C3
), xrefs: 0042F5D7
{, xrefs: 0042F56E
#, xrefs: 0042F5B9
`, xrefs: 0042F55A
m, xrefs: 0042F582
T, xrefs: 0042F5AA
C, xrefs: 0042F5C8
!, xrefs: 0042F5AF

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: InitVariant
String ID: !$#$%$'$($)$C$C$M$P$T$`$`$h$m$r$y${
API String ID: 1927566239-2618090201
Opcode ID: 6043887bfe4acdd9fd1d2654fe2dae0c881651a0d4f3ad7f97f6702383c55d6c
Instruction ID: 1b14b0f98429bc29e25fd47c2420df7ddcda0f0887c26f4c91c9ad49ba9f3316
Opcode Fuzzy Hash: 6043887bfe4acdd9fd1d2654fe2dae0c881651a0d4f3ad7f97f6702383c55d6c
Instruction Fuzzy Hash: 6C41D37050D7C08EE316CB68D45839BBFD25BE6308F58499DE4C94B382CABA8449CB67

Function 0042F7B9 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 70COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F7C3
VariantInit.OLEAUT32 ref: 0042F7D6

Strings

, xrefs: 0042F81E
&, xrefs: 0042F83C
", xrefs: 0042F828
*, xrefs: 0042F800
,, xrefs: 0042F80A
(, xrefs: 0042F7F6
$, xrefs: 0042F832
., xrefs: 0042F814

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $"$$$&$($*$,$.
API String ID: 2610073882-1741189123
Opcode ID: 5ad79ab2634e9fe3df2e358658c890efc4b8a354b9aedca02a48e462d8abdbd3
Instruction ID: c11783942caa2dee17585e0a966c12244b622c287fd7410d01b20c23b6c2d14f
Opcode Fuzzy Hash: 5ad79ab2634e9fe3df2e358658c890efc4b8a354b9aedca02a48e462d8abdbd3
Instruction Fuzzy Hash: C331E43050D7C18AD325DB38948864FBFE16B97214F888A9DE1E14B3D6C7B6840ACB97

Function 00430930 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00430972
GetSystemMetrics.USER32 ref: 00430982

Strings

Go|&, xrefs: 004309B0

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: MetricsSystem
String ID: Go|&
API String ID: 4116985748-898334850
Opcode ID: d8c3b9444f7f763b191bc3388f6c72bb1b1b862d7ca66563d04cfbdb886f9f9f
Instruction ID: f3c36fca285df6ed61c4820b90c606d27138e20f590784f0eeb22096372c51e6
Opcode Fuzzy Hash: d8c3b9444f7f763b191bc3388f6c72bb1b1b862d7ca66563d04cfbdb886f9f9f
Instruction Fuzzy Hash: D3815AB00097C18AF370DF11D48979FBBE1FBC5749F618A1E80D86A641D7BA5588CF8A

Function 0040B5F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(0040876A), ref: 0040B5F6
FreeLibrary.KERNEL32 ref: 0040B617

Strings

Wu, xrefs: 0040B5F6, 0040B617

Memory Dump Source

Source File: 00000002.00000002.1442340305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3vLKNycnrz.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: ca9ce37597e6a37cbad7b1fbb1ede4322e1c1ed79b09a7689ca17488a61cb0e0
Instruction ID: 55532461e1dd4ca4955dc0e45aead4c654ac0ca17622991b842eff44720a9336
Opcode Fuzzy Hash: ca9ce37597e6a37cbad7b1fbb1ede4322e1c1ed79b09a7689ca17488a61cb0e0
Instruction Fuzzy Hash: 99C01238418000AFEF022F60FE098283E62AB46706B008030BC0080131CB22082EFF4E

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3vLKNycnrz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
3vLKNycnrz.exe

Function 0609A678 Relevance: 2.6, Strings: 1, Instructions: 1335
COMMON

Function 06099430 Relevance: 2.2, Strings: 1, Instructions: 956
COMMON

Function 03291320 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 03292B29 Relevance: 1.6, APIs: 1, Instructions: 61
nativeCOMMON

Function 03292B30 Relevance: 1.6, APIs: 1, Instructions: 60
nativeCOMMON

Function 03291378 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 06095440 Relevance: 1.3, Strings: 1, Instructions: 49
COMMON