Edit tour

Windows Analysis Report
x4PaiRVIyM.exe

Overview

General Information

Sample name:	x4PaiRVIyM.exe renamed because original name is a hash value
Original sample name:	07d746298bccdfde01435ea5968eb08f.exe
Analysis ID:	1581193
MD5:	07d746298bccdfde01435ea5968eb08f
SHA1:	bda240cd0f13f945badb865cf81030220ccfdd5b
SHA256:	0b0def4eee7e9831aa4122f2bb81bb5393be6a91ae39e987b1b87853217df3a1
Tags:	exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality to call native functions

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

x4PaiRVIyM.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\x4PaiRVIyM.exe" MD5: 07D746298BCCDFDE01435EA5968EB08F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["grannyejh.lat", "crosshuaht.lat", "sustainskelet.lat", "breezysmiterz.click", "rapeflowwj.lat", "discokeyus.lat", "energyaffai.lat", "aspecteirs.lat", "necklacebudi.lat"], "Build id": "c2CoW0--breezy"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4c96f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:17:10.963756+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	172.67.175.134	443	TCP
2024-12-27T08:17:13.315259+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	172.67.175.134	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:17:12.177678+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49733	172.67.175.134	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:17:12.177678+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49733	172.67.175.134	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: x4PaiRVIyM.exe.7056.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["grannyejh.lat", "crosshuaht.lat", "sustainskelet.lat", "breezysmiterz.click", "rapeflowwj.lat", "discokeyus.lat", "energyaffai.lat", "aspecteirs.lat", "necklacebudi.lat"], "Build id": "c2CoW0--breezy"}

Multi AV Scanner detection for submitted file

Source: x4PaiRVIyM.exe	ReversingLabs: Detection: 39%
Source: x4PaiRVIyM.exe	Virustotal: Detection: 40%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.3% probability

Machine Learning detection for sample

Source: x4PaiRVIyM.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: breezysmiterz.click
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: c2CoW0--breezy

Source: x4PaiRVIyM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 172.67.175.134:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edi, byte ptr [eax+ebx-00E4B818h]	0_2_020CF253
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_020CF253
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_020CF253
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov esi, ecx	0_2_020D72C5
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_020F6332
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_020DB357
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_020CA3A2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then lea esi, dword ptr [ebx+01h]	0_2_020ED073
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov edx, ecx	0_2_020E7192
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6A985C1h	0_2_020DB612
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-64E221E2h]	0_2_020DB612
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh	0_2_020DB612
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	0_2_020FC6D2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], A2347758h	0_2_020FC6D2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	0_2_020FC6D2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], C72EB52Eh	0_2_020FC6D2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-6F95659Eh]	0_2_020E56E2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+eax+00h]	0_2_020E36F2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp-6652ED46h]	0_2_020E36F2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov ecx, edx	0_2_020E36F2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_020E36F2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov edi, edx	0_2_020E36F2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edx, byte ptr [edi+ecx]	0_2_020FA7CE
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_020DC7C2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_020DE49D
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then jmp ecx	0_2_020E94E8
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_020EB4E2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_020FE4FD
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+6F3BA852h]	0_2_020E2A0D
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax+192C4228h]	0_2_020CEA5B
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-64E22175h]	0_2_020E5A65
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-54988DE3h]	0_2_020E6AC2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movsx esi, byte ptr [eax]	0_2_020FEB43
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_020ECB9B
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_020ECBF1
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov ecx, eax	0_2_020E7802
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then jmp ecx	0_2_020E9879
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov esi, ecx	0_2_020CD8CD
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_020E98D9
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx esi, byte ptr [edx+eax-56h]	0_2_020E7915
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov byte ptr [ecx], dl	0_2_020DD93C
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx esi, word ptr [edx]	0_2_020D9E29
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_020D5E42
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov edi, esi	0_2_020FDEF4
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov ecx, eax	0_2_020DCF02
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_020EBF12
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then jmp dword ptr [004447D8h]	0_2_020D8FA0
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 9B8FCE03h	0_2_020D7FBE
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 41E6EFBDh	0_2_020D7FBE
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh	0_2_020D7FBE
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh	0_2_020D7FBE
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000090h]	0_2_020D7FBE
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov ebx, edx	0_2_020FBFB2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+09h]	0_2_020CBFF2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_020C8C42
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_020C8C42
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-7D69D2A9h]	0_2_020E9C7F
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_020ECB6B
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	0_2_020F9CC2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then test eax, eax	0_2_020F9CC2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-0BCF8926h]	0_2_020DACFC
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-728FB354h]	0_2_02100CE2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 4x nop then cmp al, 5Ch	0_2_020C3DA2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 172.67.175.134:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 172.67.175.134:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: breezysmiterz.click
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.175.134:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.175.134:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: breezysmiterz.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: breezysmiterz.click

Source: unknown

Source: x4PaiRVIyM.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x4PaiRVIyM.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x4PaiRVIyM.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x4PaiRVIyM.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: x4PaiRVIyM.exe, 00000000.00000003.1779129581.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.00000000005C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: x4PaiRVIyM.exe, 00000000.00000003.1779099482.00000000005EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: x4PaiRVIyM.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: x4PaiRVIyM.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x4PaiRVIyM.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x4PaiRVIyM.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x4PaiRVIyM.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x4PaiRVIyM.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: x4PaiRVIyM.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: x4PaiRVIyM.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: x4PaiRVIyM.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: x4PaiRVIyM.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: x4PaiRVIyM.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: x4PaiRVIyM.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: x4PaiRVIyM.exe, 00000000.00000003.1779129581.0000000000598000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://breezysmiterz.click/
Source: x4PaiRVIyM.exe, 00000000.00000003.1779129581.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.000000000054E000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.00000000005C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://breezysmiterz.click/api
Source: x4PaiRVIyM.exe, 00000000.00000002.1779445053.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://breezysmiterz.click/apid
Source: x4PaiRVIyM.exe, 00000000.00000003.1779129581.0000000000598000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://breezysmiterz.click/apii
Source: x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://breezysmiterz.click/c
Source: x4PaiRVIyM.exe, 00000000.00000003.1779129581.0000000000598000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://breezysmiterz.click/pi
Source: x4PaiRVIyM.exe, 00000000.00000003.1779129581.0000000000598000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://breezysmiterz.click/piV
Source: x4PaiRVIyM.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 172.67.175.134:443 -> 192.168.2.4:49733 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Code function: 0_2_0210E185 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

0_2_0210E185

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00409448

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00405C98	0_2_00405C98
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00405854	0_2_00405854
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_004058B4	0_2_004058B4
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00405270	0_2_00405270
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_004053B4	0_2_004053B4
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00404C10	0_2_00404C10
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00405CE4	0_2_00405CE4
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00404C84	0_2_00404C84
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_0040457C	0_2_0040457C
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00404D04	0_2_00404D04
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00405D2E	0_2_00405D2E
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_004045CC	0_2_004045CC
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_004045DC	0_2_004045DC
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_004045F0	0_2_004045F0
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_004045F4	0_2_004045F4
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00405E85	0_2_00405E85
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C03C5	0_2_020C03C5
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_0210E185	0_2_0210E185
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020EC202	0_2_020EC202
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020CF253	0_2_020CF253
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020EA272	0_2_020EA272
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E12B4	0_2_020E12B4
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020FA2C2	0_2_020FA2C2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020F92C2	0_2_020F92C2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E3362	0_2_020E3362
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_02100392	0_2_02100392
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C0000	0_2_020C0000
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020DF052	0_2_020DF052
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020D00F2	0_2_020D00F2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C7172	0_2_020C7172
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C5172	0_2_020C5172
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020DE187	0_2_020DE187
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020D21A2	0_2_020D21A2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E21F2	0_2_020E21F2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020DB612	0_2_020DB612
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E966C	0_2_020E966C
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_02100682	0_2_02100682
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020FC6D2	0_2_020FC6D2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E36F2	0_2_020E36F2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C4722	0_2_020C4722
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020CE7DA	0_2_020CE7DA
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C6452	0_2_020C6452
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E7462	0_2_020E7462
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020DE49D	0_2_020DE49D
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020DF512	0_2_020DF512
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020ED587	0_2_020ED587
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020F35E2	0_2_020F35E2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020CA5F2	0_2_020CA5F2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020DFA12	0_2_020DFA12
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020CAA32	0_2_020CAA32
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020F8A92	0_2_020F8A92
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E2B12	0_2_020E2B12
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C5B22	0_2_020C5B22
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E5B42	0_2_020E5B42
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020FEB43	0_2_020FEB43
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020CEB72	0_2_020CEB72
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020ECB9B	0_2_020ECB9B
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E7BA7	0_2_020E7BA7
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020ECBF1	0_2_020ECBF1
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020F8832	0_2_020F8832
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C9882	0_2_020C9882
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020DD93C	0_2_020DD93C
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020F7960	0_2_020F7960
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E1983	0_2_020E1983
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_021009A2	0_2_021009A2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020EE9C8	0_2_020EE9C8
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C79D2	0_2_020C79D2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020D9E29	0_2_020D9E29
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020D5E42	0_2_020D5E42
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020DAE59	0_2_020DAE59
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C7E62	0_2_020C7E62
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020FDEF4	0_2_020FDEF4
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E4F61	0_2_020E4F61
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020F8FA2	0_2_020F8FA2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020D7FBE	0_2_020D7FBE
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020FBFB2	0_2_020FBFB2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020EDFEE	0_2_020EDFEE
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020CBFF2	0_2_020CBFF2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C8C42	0_2_020C8C42
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020E9C7F	0_2_020E9C7F
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020ECB6B	0_2_020ECB6B
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020F9CC2	0_2_020F9CC2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_02100CE2	0_2_02100CE2
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020D2D0C	0_2_020D2D0C
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020F1D82	0_2_020F1D82
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020F7DF2	0_2_020F7DF2

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: String function: 020D5E32 appears 71 times
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: String function: 020C9692 appears 72 times

Source: x4PaiRVIyM.exe

Static PE information: invalid certificate

Source: x4PaiRVIyM.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: x4PaiRVIyM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00409448

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Code function: 0_2_020C0AD5 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_020C0AD5

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Code function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409BEC

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: x4PaiRVIyM.exe	ReversingLabs: Detection: 39%
Source: x4PaiRVIyM.exe	Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

File read: C:\Users\user\Desktop\x4PaiRVIyM.exe

Jump to behavior

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: x4PaiRVIyM.exe

Static file information: File size 4579882 > 1048576

Source: x4PaiRVIyM.exe

Static PE information: real checksum: 0x1b9b06 should be: 0x460e79

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_004065B8 push 004065F5h; ret	0_2_004065ED
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020FC362 push eax; mov dword ptr [esp], A2A3A4A5h	0_2_020FC370
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020FF032 push eax; mov dword ptr [esp], 9190AF7Eh	0_2_020FF033
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_02102CDD push esi; ret	0_2_02102CE5

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

API coverage: 9.4 %

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe TID: 6408	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe TID: 5516	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Code function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B30

Source: x4PaiRVIyM.exe, 00000000.00000003.1779129581.0000000000598000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: x4PaiRVIyM.exe, 00000000.00000002.1779445053.000000000056E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C03C5 mov edx, dword ptr fs:[00000030h]	0_2_020C03C5
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C0985 mov eax, dword ptr fs:[00000030h]	0_2_020C0985
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C0FD4 mov eax, dword ptr fs:[00000030h]	0_2_020C0FD4
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C0FD5 mov eax, dword ptr fs:[00000030h]	0_2_020C0FD5
Source: C:\Users\user\Desktop\x4PaiRVIyM.exe	Code function: 0_2_020C0D35 mov eax, dword ptr fs:[00000030h]	0_2_020C0D35

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: x4PaiRVIyM.exe	String found in binary or memory: sustainskelet.lat
Source: x4PaiRVIyM.exe	String found in binary or memory: aspecteirs.lat
Source: x4PaiRVIyM.exe	String found in binary or memory: energyaffai.lat
Source: x4PaiRVIyM.exe	String found in binary or memory: necklacebudi.lat
Source: x4PaiRVIyM.exe	String found in binary or memory: rapeflowwj.lat
Source: x4PaiRVIyM.exe	String found in binary or memory: crosshuaht.lat
Source: x4PaiRVIyM.exe	String found in binary or memory: discokeyus.lat
Source: x4PaiRVIyM.exe	String found in binary or memory: grannyejh.lat
Source: x4PaiRVIyM.exe	String found in binary or memory: breezysmiterz.click

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Code function: GetLocaleInfoA,

0_2_0040444A

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Code function: 0_2_00404482 GetVersionExA,

0_2_00404482

Source: C:\Users\user\Desktop\x4PaiRVIyM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
x4PaiRVIyM.exe	39%	ReversingLabs
x4PaiRVIyM.exe	40%	Virustotal	Browse
x4PaiRVIyM.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://breezysmiterz.click/apid	0%	Avira URL Cloud	safe
https://breezysmiterz.click/api	0%	Avira URL Cloud	safe
https://breezysmiterz.click/piV	0%	Avira URL Cloud	safe
https://breezysmiterz.click/c	0%	Avira URL Cloud	safe
https://breezysmiterz.click/pi	0%	Avira URL Cloud	safe
breezysmiterz.click	0%	Avira URL Cloud	safe
https://breezysmiterz.click/	0%	Avira URL Cloud	safe
https://breezysmiterz.click/apii	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
breezysmiterz.click	172.67.175.134	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
necklacebudi.lat	false		high
breezysmiterz.click	true	Avira URL Cloud: safe	unknown
sustainskelet.lat	false		high
crosshuaht.lat	false		high
rapeflowwj.lat	false		high
https://breezysmiterz.click/api	true	Avira URL Cloud: safe	unknown
grannyejh.lat	false		high
aspecteirs.lat	false		high
discokeyus.lat	false		high
energyaffai.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sectigo.com/CPS0	x4PaiRVIyM.exe	false		high
https://breezysmiterz.click/apii	x4PaiRVIyM.exe, 00000000.00000003.1779129581.0000000000598000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000598000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	x4PaiRVIyM.exe, 00000000.00000003.1779099482.00000000005EA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	x4PaiRVIyM.exe	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	x4PaiRVIyM.exe	false		high
http://ocsp.sectigo.com0	x4PaiRVIyM.exe	false		high
https://breezysmiterz.click/piV	x4PaiRVIyM.exe, 00000000.00000003.1779129581.0000000000598000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000598000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://breezysmiterz.click/apid	x4PaiRVIyM.exe, 00000000.00000002.1779445053.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	x4PaiRVIyM.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	x4PaiRVIyM.exe	false		high
https://breezysmiterz.click/	x4PaiRVIyM.exe, 00000000.00000003.1779129581.0000000000598000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000598000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://breezysmiterz.click/pi	x4PaiRVIyM.exe, 00000000.00000003.1779129581.0000000000598000.00000004.00000020.00020000.00000000.sdmp, x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000598000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://breezysmiterz.click/c	x4PaiRVIyM.exe, 00000000.00000002.1779445053.0000000000564000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.175.134	breezysmiterz.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581193
Start date and time:	2024-12-27 08:16:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	x4PaiRVIyM.exe renamed because original name is a hash value
Original Sample Name:	07d746298bccdfde01435ea5968eb08f.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 132
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:17:11	API Interceptor	2x Sleep call for process: x4PaiRVIyM.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.175.134	PO# 0499699.exe	Get hash	malicious	FormBook	Browse	www.yihetubu.com/u6e4/?l0DL=bT6Hn4EpFnWH&U6ApY=IHGRx2D03MO2Li40IzUvs7zF3B/N+nlQ0tWfuVZKRE1k94k9L8v4sWIwR5z1KUInAjtt
172.67.175.134	RE; KOC RFQ for Flangers - RFQ 22965431.exe	Get hash	malicious	FormBook	Browse	www.yihetubu.com/u6e4/?t4qdXV=IHGRx2D03MO2Li40IzUvs7zF3B/N+nlQ0tWfuVZKRE1k94k9L8v4sWIwR5z1KUInAjtt&irj=3fI8l

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	3vLKNycnrz.exe	Get hash	malicious	LummaC	Browse	104.21.62.151
	installer.bat	Get hash	malicious	Vidar	Browse	172.64.41.3
	skript.bat	Get hash	malicious	Vidar	Browse	162.159.61.3
	din.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	lem.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	markiz.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	utkin.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	0Gs0WEGB1E.dll	Get hash	malicious	Unknown	Browse	104.21.22.88
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.190.223

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	3vLKNycnrz.exe	Get hash	malicious	LummaC	Browse	172.67.175.134
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	172.67.175.134
	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.175.134
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.175.134
	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.175.134
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	172.67.175.134
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	172.67.175.134
	0zBsv1tnt4.exe	Get hash	malicious	LummaC	Browse	172.67.175.134
	cqHMm0ykDG.exe	Get hash	malicious	LummaC	Browse	172.67.175.134
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	172.67.175.134

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.994551971610554
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	x4PaiRVIyM.exe
File size:	4'579'882 bytes
MD5:	07d746298bccdfde01435ea5968eb08f
SHA1:	bda240cd0f13f945badb865cf81030220ccfdd5b
SHA256:	0b0def4eee7e9831aa4122f2bb81bb5393be6a91ae39e987b1b87853217df3a1
SHA512:	5af308a2f64b7854405b069dc39ca139f270dbbbb46ecf4ac3b6168ed8fad634eb0afdd84ed72b396aba38c68e377028acbbb852b2e67df69b73f3c3478b686f
SSDEEP:	98304:p3CAJ6KOJEq5zh/a84KlgJnE7x2KOJEq5zh/a84KlgJnE7h:t16ZJx5zhFynE7cZJx5zhFynE7h
TLSH:	912633667514CBBBF6E7C032DE4665C19CD3BC4A50909D8E98B8CDF11EAFA8F204B590
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2f232d67b7934633

Static PE Info

General

Entrypoint:	0x409c40
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/12/2023 19:00:00 12/12/2024 18:59:59
Subject Chain	CN=FH Manager, O=FH Manager, S=Tel Aviv, C=IL
Version:	3
Thumbprint MD5:	FC7AFEABF8E3E561F165BA065EFB55B1
Thumbprint SHA-1:	DDF30E830B0F5EA422E6EF4FA1EDB76C4DDA1841
Thumbprint SHA-256:	E1223427BF9091509CDE343DA265D51A941B05285F29CD3CC55794A8E3CB3E8F
Serial:	0CDF20599C834E3EF537BAE3E63896BB

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007FB07C6AB4BBh
call 00007FB07C6AC6C2h
call 00007FB07C6AC951h
call 00007FB07C6AE988h
call 00007FB07C6AE9CFh
call 00007FB07C6B12FEh
call 00007FB07C6B1465h
xor eax, eax
push ebp
push 0040A2FCh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040A2C5h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007FB07C6B1ECBh
call 00007FB07C6B1AFEh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007FB07C6AEFB8h
mov edx, dword ptr [ebp-10h]
mov eax, 0040CDE8h
call 00007FB07C6AB567h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CDE8h]
mov dl, 01h
mov eax, 0040738Ch
call 00007FB07C6AF847h
mov dword ptr [0040CDECh], eax
xor edx, edx
push ebp
push 0040A27Dh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FB07C6B1F3Bh
mov dword ptr [0040CDF4h], eax
mov eax, dword ptr [0040CDF4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FB07C6B207Ah
mov eax, dword ptr [0040CDF4h]
mov edx, 00000028h
call 00007FB07C6AFC48h
mov edx, dword ptr [000000F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x53800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x45b68a	0x2ba0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9364	0x9400	3026e4057f603ea3534baf308dc2bdab	False	0.6630331503378378	data	6.777247155569041	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x24c	0x400	e8f82382eefca31b62f6a8c8a52ff421	False	0.3154296875	data	2.753482278202086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe4c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8b4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x53800	0x53800	33e007cb407801c57ade66900a64afb8	False	0.6627263052020959	data	7.59851779558257	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x113b4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colors	English	United States	0.6317567567567568
RT_ICON	0x114dc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.5823699421965318
RT_ICON	0x11a44	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colors	English	United States	0.5120967741935484
RT_ICON	0x11d2c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.5509927797833934
RT_ICON	0x125d4	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.36341463414634145
RT_ICON	0x12c3c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.42350746268656714
RT_STRING	0x13ae4	0x2f2	data			0.35543766578249336
RT_STRING	0x13dd8	0x30c	data			0.3871794871794872
RT_STRING	0x140e4	0x2ce	data			0.42618384401114207
RT_STRING	0x143b4	0x68	data			0.75
RT_STRING	0x1441c	0xb4	data			0.6277777777777778
RT_STRING	0x144d0	0xae	data			0.5344827586206896
RT_RCDATA	0x14580	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x145ac	0x5a	data	English	United States	0.7333333333333333
RT_VERSION	0x14608	0x4b8	COM executable for DOS	English	United States	0.30629139072847683
RT_MANIFEST	0x14ac0	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T08:17:10.963756+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	172.67.175.134	443	TCP
2024-12-27T08:17:12.177678+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	172.67.175.134	443	TCP
2024-12-27T08:17:12.177678+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	172.67.175.134	443	TCP
2024-12-27T08:17:13.315259+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	172.67.175.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:17:09.738843918 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:09.738899946 CET	443	49733	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:09.738993883 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:09.742043018 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:09.742059946 CET	443	49733	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:10.963681936 CET	443	49733	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:10.963756084 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:10.971724987 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:10.971767902 CET	443	49733	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:10.972001076 CET	443	49733	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:11.018225908 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:11.133136988 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:11.133169889 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:11.133280039 CET	443	49733	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:12.177686930 CET	443	49733	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:12.177774906 CET	443	49733	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:12.177855015 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:12.200318098 CET	49733	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:12.200346947 CET	443	49733	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:12.211139917 CET	49734	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:12.211184025 CET	443	49734	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:12.211256027 CET	49734	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:12.212584019 CET	49734	443	192.168.2.4	172.67.175.134
Dec 27, 2024 08:17:12.212595940 CET	443	49734	172.67.175.134	192.168.2.4
Dec 27, 2024 08:17:13.315258980 CET	49734	443	192.168.2.4	172.67.175.134

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:17:09.361124992 CET	57261	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:17:09.732237101 CET	53	57261	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 08:17:09.361124992 CET	192.168.2.4	1.1.1.1	0x2fd3	Standard query (0)	breezysmiterz.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 08:17:09.732237101 CET	1.1.1.1	192.168.2.4	0x2fd3	No error (0)	breezysmiterz.click		172.67.175.134	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:17:09.732237101 CET	1.1.1.1	192.168.2.4	0x2fd3	No error (0)	breezysmiterz.click		104.21.96.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

breezysmiterz.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	172.67.175.134	443	7056	C:\Users\user\Desktop\x4PaiRVIyM.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:17:11 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: breezysmiterz.click
2024-12-27 07:17:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 07:17:12 UTC	1136	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:17:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2k9bkc45ukockg0otu82jo1v12; expires=Tue, 22 Apr 2025 01:03:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rUkdHoO%2FwYArajtiuS%2B%2F4BqcmqZS5GEWwS0N%2FNdw8jQVJNJR9U9CfPHst%2FYayQq8wFXpLm%2B%2FkimEsZaRKz7XPYiHV08jdWFrkBxu1RIdHB77Gdjf3hLvFj5egLhojlg8pNC1rL%2B9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87878999584362-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2411&min_rtt=2400&rtt_var=922&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2851&recv_bytes=910&delivery_rate=1172219&cwnd=250&unsent_bytes=0&cid=7a529f8cafaaf456&ts=1227&x=0"
2024-12-27 07:17:12 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 07:17:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:17:02
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\x4PaiRVIyM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\x4PaiRVIyM.exe"
Imagebase:	0x400000
File size:	4'579'882 bytes
MD5 hash:	07D746298BCCDFDE01435EA5968EB08F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	69.2%
Signature Coverage:	21.9%
Total number of Nodes:	169
Total number of Limit Nodes:	11

Executed Functions

Function 0210E185 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 0210E21E
NtMapViewOfSection.NTDLL(?,00000000), ref: 0210E2C6
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0210E63A
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 0210E6EF
VirtualProtect.KERNELBASE(?,?,00000008,?,?,?,?,?,?,?), ref: 0210E70C
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 0210E7AF
VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,?,?,?,?), ref: 0210E7E2
CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0210E953

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction ID: 119840db42a6952603409888da444018096b3eed513ee6bff015725fe81999c8
Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction Fuzzy Hash: 78426B71A483019FDB24CF65C884B6ABBE9FF88714F14492DF995DB291E7B0E840CB91

Function 020C0AD5 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,020C061B,?,00000001,?,81EC8B55,000000FF), ref: 020C0B13
Thread32First.KERNEL32(00000000,0000001C), ref: 020C0B3F
Wow64SuspendThread.KERNEL32(00000000), ref: 020C0B92
CloseHandle.KERNELBASE(00000000), ref: 020C0BBC

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: c6ab32a7dbc24870730aa2bb219f88dedb83ff304f76809a0ab57ac096fe8b41
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 5641F0B5600209EFDB18DF98C490BADB7F6EF88304F20816CE6159B794DB34AE45CB54

Function 020C03C5 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 020C0668
TerminateProcess.KERNELBASE(000000FF,00000000), ref: 020C095C

Strings

bEc, xrefs: 020C0431

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID: CreateProcessTerminateThread
String ID: bEc
API String ID: 1197810419-968463770
Opcode ID: 719212472fccb540c1fe55a7f8193a09798d8298f831598ce111912240aa4881
Instruction ID: 5bb67474fd347afd7a2e093d8f3a1dac4d6f24e82fb2ff1ef5b4d6184c930a63
Opcode Fuzzy Hash: 719212472fccb540c1fe55a7f8193a09798d8298f831598ce111912240aa4881
Instruction Fuzzy Hash: 7212C2B4E00219DBDB18CF98C990BEDBBB2FF88304F2482A9D515AB395C7356A41DF54

Function 020C0985 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 020C0A51

Strings

,, xrefs: 020C0A9D

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 076a7aff21b1bb303ec2bfb06b0bd319d03a4d8750f1237a5f04085f77df635b
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: B841A574A00209EFDB14CF98C994BAEB7B2FF88314F208298D5156B391D775AE81DF94

Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 247
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(-D4B31820), ref: 00405CFC

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d63ec981ddf0e84e7a14cf07a3c6889465179f5b58db28bdd862ba16f9a23b19
Instruction ID: b0b0e27e66d21fcfb25559d8c728905a25e9dc23e86186155415f21b9c884410
Opcode Fuzzy Hash: d63ec981ddf0e84e7a14cf07a3c6889465179f5b58db28bdd862ba16f9a23b19
Instruction Fuzzy Hash: 8D810937D542158FD308EF7AEE4662A77A1EB80304B46813FD942B71A6CF3818128BCD

Function 00405C98 Relevance: 1.5, APIs: 1, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(-D4B31820), ref: 00405CFC

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 97fa9f1b1b9c828e9519fbd967cec5093fb018c9c2c65a5493433bcf01a2eb3b
Instruction ID: f25ad1aa39492dbe1593cddfc6dfd3ee84072fd57dbd934abab414e45cc3be81
Opcode Fuzzy Hash: 97fa9f1b1b9c828e9519fbd967cec5093fb018c9c2c65a5493433bcf01a2eb3b
Instruction Fuzzy Hash: 9081D4379147218BD348EF7AEE5A52A37A1EB80314742853FE942B71B6DF3419428BCD

Function 00405D2E Relevance: .2, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b025d90ad5e191edba6dafdaadfe17ce75940a4f70bfee07e7b979ba69129a83
Instruction ID: 9296528e241a03051ff9cd15e0cdb9a460f3580ec1f86699581b55d45115f1c1
Opcode Fuzzy Hash: b025d90ad5e191edba6dafdaadfe17ce75940a4f70bfee07e7b979ba69129a83
Instruction Fuzzy Hash: FB81F736D502158BD708EF7AEE4662A7761EB90314B46813FD943B72A6DB3818128BCD

Function 00405E85 Relevance: .2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04421779516b2b6d238e9f50d530aa0607eafb0cbe23f7bff16d6bc2bf409b67
Instruction ID: 40a9f992c9fde089e4e3ff3208fb41036a66ec80b815512836150be068606bfa
Opcode Fuzzy Hash: 04421779516b2b6d238e9f50d530aa0607eafb0cbe23f7bff16d6bc2bf409b67
Instruction Fuzzy Hash: 4C51E4369402158FD714EFBAEE4A66677A5EB44304F06813FD542BB2E6CB7818118BCD

Function 0210EE03 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000,?,?), ref: 0210EE95

Strings

.dll, xrefs: 0210EE3A

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: 0d4227463b9d776e4c5c37b8670d5b188c1b33cc394d15de378ae0bca7d58b12
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: B1212C366002998FEB25CF6DC8C4B697BE4EF01324F28446DD805CBA91D7B0E845CB80

Function 0210DA55 Relevance: 2.8, APIs: 2, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0210DACF
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 0210DE13

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction ID: 63020fefbc9be2c8a79f1741635c5e1b36e1be144332f8a2f2ee76f3073dbc6a
Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction Fuzzy Hash: 2AB1C031580706AFDB35AEA4ECC0BA7B7E9FF46304F140919E959861C0E7B2E551CFA2

Non-executed Functions

Function 020F7DF2 Relevance: 74.1, Strings: 59, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W, xrefs: 020F7FB7
G, xrefs: 020F7F47
Q, xrefs: 020F7F8D
D, xrefs: 020F7ED0
5, xrefs: 020F819A
L, xrefs: 020F804A
X, xrefs: 020F7F94
O, xrefs: 020F7E36
S, xrefs: 020F7F9B
a, xrefs: 020F7FFD
u, xrefs: 020F8089
o, xrefs: 020F7F86
_, xrefs: 020F7F08
_, xrefs: 020F7FEF
,, xrefs: 020F812A
n, xrefs: 020F839F
", xrefs: 020F80E4
Q, xrefs: 020F7E60
[, xrefs: 020F7FD3
I, xrefs: 020F7F55
k, xrefs: 020F8043
R, xrefs: 020F8074
g, xrefs: 020F8027
c, xrefs: 020F800B
@, xrefs: 020F7FF6
e, xrefs: 020F8019
w, xrefs: 020F8097
], xrefs: 020F7EB4
M, xrefs: 020F7F71
W, xrefs: 020F7E44
o, xrefs: 020F805F
D, xrefs: 020F7E7C
}, xrefs: 020F80C1
X, xrefs: 020F7E8A
r, xrefs: 020F825F
T, xrefs: 020F7EEC
M, xrefs: 020F7EDE
D, xrefs: 020F7EA6
C, xrefs: 020F7F2B
E, xrefs: 020F7F39
{, xrefs: 020F80B3
Y, xrefs: 020F7FC5
\, xrefs: 020F7DFE
O, xrefs: 020F7F7F
4, xrefs: 020F8389
`, xrefs: 020F7F16
g, xrefs: 020F7E28
], xrefs: 020F7FE1
y, xrefs: 020F80A5
U, xrefs: 020F7FA9
K, xrefs: 020F7F63
s, xrefs: 020F807B
I, xrefs: 020F7E6E
i, xrefs: 020F8035
u, xrefs: 020F7E0C
m, xrefs: 020F8051
q, xrefs: 020F806D
|, xrefs: 020F7FA2
A, xrefs: 020F7F1D

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: "$,$4$5$@$A$C$D$D$D$E$G$I$I$K$L$M$M$O$O$Q$Q$R$S$T$U$W$W$X$X$Y$[$\$]$]$_$_$`$a$c$e$g$g$i$k$m$n$o$o$q$r$s$u$u$w$y${$|$}
API String ID: 0-1098736463
Opcode ID: 07f120719a5796ee8f2f401f98331c6a1a843580c82a45bc371b9ab24683da94
Instruction ID: 99d963d3aacdc92ae7b90899d86cb329623813e9d47ece0b8776a1482eb8c508
Opcode Fuzzy Hash: 07f120719a5796ee8f2f401f98331c6a1a843580c82a45bc371b9ab24683da94
Instruction Fuzzy Hash: FE22EC209087E98DDB32C6388C487D9BFB15B67324F0842D9D1E96B2D2C7B50B85DF66

Function 020F7960 Relevance: 44.1, Strings: 35, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;, xrefs: 020F79AD
7, xrefs: 020F799D
3, xrefs: 020F798D
=, xrefs: 020F79B5
#, xrefs: 020F79CD
K, xrefs: 020F7B3A
!, xrefs: 020F79C5
A, xrefs: 020F7A11
9, xrefs: 020F79A5
&, xrefs: 020F7A49
0, xrefs: 020F7C52
>, xrefs: 020F7B14
+, xrefs: 020F79ED
), xrefs: 020F79E5
@, xrefs: 020F7B4A
Y, xrefs: 020F7B52
^, xrefs: 020F7B42
', xrefs: 020F79DD
F, xrefs: 020F7A19
-, xrefs: 020F79F5
5, xrefs: 020F7A29
1, xrefs: 020F7985
H, xrefs: 020F7A21
<, xrefs: 020F7B0B
\, xrefs: 020F7B5A
A, xrefs: 020F7A09
/, xrefs: 020F79FD
%, xrefs: 020F79D5
?, xrefs: 020F79BD
S, xrefs: 020F7B62
%, xrefs: 020F7A41
5, xrefs: 020F7995
), xrefs: 020F7C71
J, xrefs: 020F7A39
N, xrefs: 020F7A31

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: !$#$%$%$&$'$)$)$+$-$/$0$1$3$5$5$7$9$;$<$=$>$?$@$A$A$F$H$J$K$N$S$Y$\$^
API String ID: 0-1105601194
Opcode ID: 9b3c312f4d815129af7482d2aac7103459aa2b3d76412cbc457a7c7caf0e0d14
Instruction ID: 78978d8852aefa3957829c35c6943543a030e2a5d3a98b6e1e72be5c5cb76a5c
Opcode Fuzzy Hash: 9b3c312f4d815129af7482d2aac7103459aa2b3d76412cbc457a7c7caf0e0d14
Instruction Fuzzy Hash: 5EE18021D087E98ADB22C6BC88443DDBFB15B56324F0843D9D5A46B3E2C7754A46CBA2

Function 020DB612 Relevance: 43.9, Strings: 34, Instructions: 1441COMMON

Download Yara Rule

Strings

!d, xrefs: 020DB79F
!d, xrefs: 020DC4C4
!d, xrefs: 020DBCC0
!d, xrefs: 020DB858
!d, xrefs: 020DBEC1
!d, xrefs: 020DC177
!d, xrefs: 020DBD48
!d, xrefs: 020DC65A
!d, xrefs: 020DC730
!d, xrefs: 020DBF10
!d, xrefs: 020DC392
!d, xrefs: 020DC000
!d, xrefs: 020DBBDF
!d, xrefs: 020DB634
!d, xrefs: 020DB954
!d, xrefs: 020DBDE9
!d, xrefs: 020DC6E5
!d, xrefs: 020DB8A0
!d, xrefs: 020DC617
!d, xrefs: 020DBC75
!d, xrefs: 020DC263
!d, xrefs: 020DC2AF
!d, xrefs: 020DC110
!d, xrefs: 020DC481
!d, xrefs: 020DBD90
!d, xrefs: 020DBFAE
!d, xrefs: 020DB7F0
!d, xrefs: 020DC350
!d, xrefs: 020DC0CD
!d, xrefs: 020DBE30
!d, xrefs: 020DBC30
!d, xrefs: 020DB9A0
!d, xrefs: 020DB680
!d, xrefs: 020DC1C0

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: !d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d$!d
API String ID: 0-74847627
Opcode ID: e930722a54d5859a7c7d5339ac4bf6f78a68cc5947ec76fa0a1249fff59b9bf4
Instruction ID: 223f8c0d1e407b0378d7e8864bd971321348ae34120cb57269dce1b1218e5e5d
Opcode Fuzzy Hash: e930722a54d5859a7c7d5339ac4bf6f78a68cc5947ec76fa0a1249fff59b9bf4
Instruction Fuzzy Hash: C9A27575A593009BE325CF24CC81B6BBBE3FBD5304F29892CE6819B255DB74D901DB42

Function 020E5B42 Relevance: 22.9, Strings: 18, Instructions: 440COMMON

Download Yara Rule

Strings

<k;m, xrefs: 020E6617
'g>i, xrefs: 020E660C
J'G), xrefs: 020E655C
*s,u, xrefs: 020E65D5
R/Q, xrefs: 020E6572
c6e, xrefs: 020E6601
cE, xrefs: 020E6259
@@, xrefs: 020E627A
*{-}, xrefs: 020E65EB
gX, xrefs: 020E63E5
E+G-, xrefs: 020E6567
7w(y, xrefs: 020E65E0
]3R5, xrefs: 020E6525
Ix, xrefs: 020E626F
B?o!, xrefs: 020E6546
_7T9, xrefs: 020E6530
TK, xrefs: 020E6264
^P, xrefs: 020E603D

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: c6e$'g>i$*s,u$*{-}$7w(y$<k;m$@@$B?o!$E+G-$Ix$J'G)$R/Q$TK$]3R5$_7T9$cE$gX$^P
API String ID: 0-909947336
Opcode ID: 6df840ea809ea582fedfa04ed4cc2bf5bfba667ee6324b6c295675143950d415
Instruction ID: f51a73eb46924b4833a50841d6153f66e49aa8e1f5601c99162c909fda2805ed
Opcode Fuzzy Hash: 6df840ea809ea582fedfa04ed4cc2bf5bfba667ee6324b6c295675143950d415
Instruction Fuzzy Hash: 4F32EAB460C3918AC334CF64C4027DFBBF2EB92304F40892CC5E96B256D7B5464A9B97

Function 00404C10 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 417libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,-1B69B7A5), ref: 00404D14

Strings

8kN2, xrefs: 00405058
kern, xrefs: 00404DC0
Dd32, xrefs: 004051FA
kern, xrefs: 00404DDE
dl?2, xrefs: 00404EA5
el32, xrefs: 0040503D
lloc, xrefs: 004051F4
el32, xrefs: 00404D03
Iern, xrefs: 00404C5A

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: LibraryLoad
String ID: 8kN2$Dd32$Iern$dl?2$el32$el32$kern$kern$lloc
API String ID: 1029625771-2110291789
Opcode ID: 4fef5545c8f4f9f91ed4f6163058f676129f8d4546ce305992489ac3a73b7d5f
Instruction ID: a395ffc6bdf6ba5864528507bce8c91081d2db81a7af191b2929abe29f4557bf
Opcode Fuzzy Hash: 4fef5545c8f4f9f91ed4f6163058f676129f8d4546ce305992489ac3a73b7d5f
Instruction Fuzzy Hash: D4E1D577C503208FD708EF76EE8646A3662FB90319302963ED942B75B6CF3919018ACD

Function 00404C84 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 387libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,-1B69B7A5), ref: 00404D14

Strings

8kN2, xrefs: 00405058
kern, xrefs: 00404DC0
Dd32, xrefs: 004051FA
kern, xrefs: 00404DDE
dl?2, xrefs: 00404EA5
el32, xrefs: 0040503D
lloc, xrefs: 004051F4
el32, xrefs: 00404D03

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: LibraryLoad
String ID: 8kN2$Dd32$dl?2$el32$el32$kern$kern$lloc
API String ID: 1029625771-3383823138
Opcode ID: dc87da468aa95f523bf83184c2ef42235ea01f588ff994cb5b3e0daed1aaf073
Instruction ID: 3fe5a11a4a86eccc7bfe225244ac8990f2808fce7754665156b3a855b556a16c
Opcode Fuzzy Hash: dc87da468aa95f523bf83184c2ef42235ea01f588ff994cb5b3e0daed1aaf073
Instruction Fuzzy Hash: 8BD1E377C543248FD708EF76EE8646A3662FB90309302963ED902B76B5CF3919058ACD

Function 00404D04 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,-1B69B7A5), ref: 00404D14

Strings

8kN2, xrefs: 00405058
kern, xrefs: 00404DC0
Dd32, xrefs: 004051FA
kern, xrefs: 00404DDE
dl?2, xrefs: 00404EA5
el32, xrefs: 0040503D
lloc, xrefs: 004051F4
el32, xrefs: 00404D04

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: LibraryLoad
String ID: 8kN2$Dd32$dl?2$el32$el32$kern$kern$lloc
API String ID: 1029625771-3383823138
Opcode ID: e7cd25aba92ca2a3baf7792a9721df857903e4c9a578cfdffca9e01928c731fa
Instruction ID: d4db30c9edc095f5ceb8fba1d2202719ac99180c35b26cb9b85e8662f70bcf33
Opcode Fuzzy Hash: e7cd25aba92ca2a3baf7792a9721df857903e4c9a578cfdffca9e01928c731fa
Instruction Fuzzy Hash: 2BC1E377C543248FD708EF76EE8646A3662FB90309306963ED902B76B5CF3919058ACD

Function 020CA5F2 Relevance: 14.2, Strings: 11, Instructions: 400COMMON

Download Yara Rule

Strings

3qi_, xrefs: 020CA617
KA5C, xrefs: 020CA74A
nQkb, xrefs: 020CA62F
kQRj, xrefs: 020CA627
IvHM, xrefs: 020CA63F
* ,), xrefs: 020CA732
4>0s, xrefs: 020CA742
iL, xrefs: 020CA782
/ay', xrefs: 020CA722
Y, xrefs: 020CA969
, .!, xrefs: 020CA72A

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: * ,)$, .!$/ay'$3qi_$4>0s$IvHM$KA5C$Y$iL$kQRj$nQkb
API String ID: 0-679520836
Opcode ID: 32ae8231fc42d4b879e493d5aaed9674c0b8c4083451491e67bbba3b31af7a44
Instruction ID: a8a7f57c9ab460e427a35337a3711f422a8452eb5157adc353b548700357eb23
Opcode Fuzzy Hash: 32ae8231fc42d4b879e493d5aaed9674c0b8c4083451491e67bbba3b31af7a44
Instruction Fuzzy Hash: 9EB1F7B174C3958BD326CF35889035BBFE1AFD6204F19896DE8D58B341D339890AD792

Function 020D7FBE Relevance: 12.8, Strings: 10, Instructions: 311COMMON

Download Yara Rule

Strings

!d, xrefs: 020D80C0
!d, xrefs: 020D8291
!d, xrefs: 020D7FD4
!d, xrefs: 020D8210
!d, xrefs: 020D8020
!d, xrefs: 020D811D
!d, xrefs: 020D807C
!d, xrefs: 020D82E0
!d, xrefs: 020D81C5
!d, xrefs: 020D8160

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: !d$!d$!d$!d$!d$!d$!d$!d$!d$!d
API String ID: 0-688171476
Opcode ID: c0a727b38aced11c5a81ebee5f5bae3e14a180c4ac9f2e70b9d672491611fa69
Instruction ID: b4649a7b87e0a8b9fa519de8f79b7494ea4e949a3133d11767cdbe42b4843653
Opcode Fuzzy Hash: c0a727b38aced11c5a81ebee5f5bae3e14a180c4ac9f2e70b9d672491611fa69
Instruction Fuzzy Hash: 3691267AA563209BE325CB048C81A6BB3E7FBE5701F59C12CD78567215DB309D02D786

Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00409457
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3

Strings

SeShutdownPrivilege, xrefs: 0040946F

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F

Function 020F8A92 Relevance: 11.5, Strings: 9, Instructions: 223COMMON

Download Yara Rule

Strings

~, xrefs: 020F8C92
(, xrefs: 020F8BC1
., xrefs: 020F8BB7
t, xrefs: 020F8AAF
Y, xrefs: 020F8C88
+, xrefs: 020F8BB2
j, xrefs: 020F8C97
>, xrefs: 020F8BBC
t, xrefs: 020F8B0B

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: ($+$.$>$Y$j$t$t$~
API String ID: 0-137854095
Opcode ID: 89b97d235b2b0e7f63980cca835740201d8706d8c8be19ce321a4b2e8c85790d
Instruction ID: 680f389f5824d852ab002ced31c690b973f66bf73f71a8a23b85597219ab84a6
Opcode Fuzzy Hash: 89b97d235b2b0e7f63980cca835740201d8706d8c8be19ce321a4b2e8c85790d
Instruction Fuzzy Hash: C781FF2264D7D14AD3528638884429FAFC21BE3234F2CCFACE5F5977D6C569C50693A3

Function 0040457C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 433libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(004045CC,?,00409C60), ref: 00404582
GetProcAddress.KERNEL32(00000000,004045DC), ref: 0040458F
GetProcAddress.KERNEL32(00000000,004045F4), ref: 004045A5

Strings

el32, xrefs: 004049AA
gl32, xrefs: 0040499D

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: el32$gl32
API String ID: 667068680-1212234834
Opcode ID: bbe7c076d9a085b82992743bd6d7a5ac0342887370a36db6df0c086d68587e87
Instruction ID: ce6abfdaa4c488f79f1566206a4e06ccef182e175c079ceb01f60ecae041d7c0
Opcode Fuzzy Hash: bbe7c076d9a085b82992743bd6d7a5ac0342887370a36db6df0c086d68587e87
Instruction Fuzzy Hash: FFE10876D503248FD744FF76AE8652A3762FB90308346963EE942F71A6CF3854019ACE

Function 020CBFF2 Relevance: 9.2, Strings: 7, Instructions: 402COMMON

Download Yara Rule

Strings

p.r, xrefs: 020CC0C3
[LI_, xrefs: 020CC381, 020CC443, 020CC46E, 020CC3E2, 020CC375, 020CC256, 020CC43A, 020CC322, 020CC202
V~<, xrefs: 020CC2FE
[LI_, xrefs: 020CC297
L0N, xrefs: 020CC11B
5@AB, xrefs: 020CC123
|~, xrefs: 020CC0BB

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 5@AB$V~<$[LI_$[LI_$L0N$p.r$|~
API String ID: 0-4162511336
Opcode ID: 3d6a0af01880c53217fe9087e0b555641b698f0608426e1c92ad6ad47da4bc08
Instruction ID: 87d007490f97c2367171d334de618391c75b0dfe2ab3be9c56aba1f8057f6071
Opcode Fuzzy Hash: 3d6a0af01880c53217fe9087e0b555641b698f0608426e1c92ad6ad47da4bc08
Instruction Fuzzy Hash: 13C149B160C3504BD315DF24C8512AFFBE2ABC1608F18896DE8DA9B356E375C50ADB86

Function 020E1983 Relevance: 7.9, Strings: 6, Instructions: 430COMMON

Download Yara Rule

Strings

+, xrefs: 020E1BE7
), xrefs: 020E1BDF
z, xrefs: 020E1C0B
/, xrefs: 020E1BF7
-, xrefs: 020E1BEF
', xrefs: 020E1BD7

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: '$)$+$-$/$z
API String ID: 0-3830927749
Opcode ID: d9bdf2d522b2e7fe6725e5fa3bf903287e331715f59a2ec9417540c63356d7fd
Instruction ID: 665bac44f188e9abca25eeb5a831b542ad89d2022b95d73a9016ccd0d2050edb
Opcode Fuzzy Hash: d9bdf2d522b2e7fe6725e5fa3bf903287e331715f59a2ec9417540c63356d7fd
Instruction Fuzzy Hash: 5A124761108BC18ED316CB3C8848756BFD16B66224F0DC7DDE4EA8F3E3D669D50687A2

Function 020E12B4 Relevance: 7.9, Strings: 6, Instructions: 401COMMON

Download Yara Rule

Strings

-, xrefs: 020E1505
', xrefs: 020E14ED
/, xrefs: 020E150D
), xrefs: 020E14F5
z, xrefs: 020E1521
+, xrefs: 020E14FD

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: '$)$+$-$/$z
API String ID: 0-3830927749
Opcode ID: fa932c6d41ee690fee6acec50a9b2988c0f930675c14c77ca712f7124b95b077
Instruction ID: 0a1ba0d9375fa27d58ee132304314b1302527f79cb33bccd093dfc5b9b722355
Opcode Fuzzy Hash: fa932c6d41ee690fee6acec50a9b2988c0f930675c14c77ca712f7124b95b077
Instruction Fuzzy Hash: BE124761108BC18ED716CB3C8898A56BFD15B66224F0DC6DDD4EA8F3E3C679C506C762

Function 00405270 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 699libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000002), ref: 004056D7

Strings

ualA, xrefs: 0040573D
ualA, xrefs: 00405C81
ualA, xrefs: 00405B93

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: AddressProc
String ID: ualA$ualA$ualA
API String ID: 190572456-3615168271
Opcode ID: d592a81cc7fca46ae3329453e9a68aa271ae1cd37aa715461825f10db0415666
Instruction ID: 81774da39554bedd731861a1661fa41fefd8ff06d1a856f0cf1985483ddd7805
Opcode Fuzzy Hash: d592a81cc7fca46ae3329453e9a68aa271ae1cd37aa715461825f10db0415666
Instruction Fuzzy Hash: D92228779543214FD758EF76EE8646A3252F7C0318342863EE942FB5AACF3855028ACD

Function 004053B4 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 625libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000002), ref: 004056D7

Strings

ualA, xrefs: 0040573D
ualA, xrefs: 00405C81
ualA, xrefs: 00405B93

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: AddressProc
String ID: ualA$ualA$ualA
API String ID: 190572456-3615168271
Opcode ID: e0fbeaab5312f794b77492d95c1a3d64c3e21b336e9e0a51c8b78672ea474aaa
Instruction ID: aad40b1f8c478c3e4b24d984e5f4c9991d70aab6a0182f55370ac57a71e225df
Opcode Fuzzy Hash: e0fbeaab5312f794b77492d95c1a3d64c3e21b336e9e0a51c8b78672ea474aaa
Instruction Fuzzy Hash: CA1226779443254FD748EF76EE8646A3352EBC0318342863EE542FB5AACF3855428ACD

Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00409B42
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 00409B4D
VirtualProtect.KERNEL32(?,?,00000040,?,?,?,0000001C,?), ref: 00409B8E
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,?,?,0000001C,?), ref: 00409BC0
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 00409BD0

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: e9377b5afe5b72dea238361b2bb5871f3a0709df6bf3f14a5dd1c9312b56f1de
Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
Opcode Fuzzy Hash: e9377b5afe5b72dea238361b2bb5871f3a0709df6bf3f14a5dd1c9312b56f1de
Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669

Function 020DFA12 Relevance: 7.1, Strings: 5, Instructions: 832COMMON

Download Yara Rule

Strings

.CEM, xrefs: 020DFE00
747=, xrefs: 020DFD91
KR, xrefs: 020DFE0B
<?nn, xrefs: 020DFDB9
1, xrefs: 020E0092

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: .CEM$1$747=$<?nn$KR
API String ID: 0-4015433853
Opcode ID: 3e9cfba212479f1620f1b80cf2bbd678b2e96b7ba27c3f2f11c8708b3d1fe90f
Instruction ID: 7acecbe9a6504cd90ca0fe888d317b052158493762e97568afeaa8579a1f2850
Opcode Fuzzy Hash: 3e9cfba212479f1620f1b80cf2bbd678b2e96b7ba27c3f2f11c8708b3d1fe90f
Instruction Fuzzy Hash: 3342277060C3518FCB26CF24C89076EBBE2AFD6314F088A6CE8D69B392D7758545DB52

Function 020E2B12 Relevance: 6.8, Strings: 5, Instructions: 586COMMON

Download Yara Rule

Strings

ycz|, xrefs: 020E2F55
,, xrefs: 020E303B
^, xrefs: 020E2DD5
, xrefs: 020E2DCD
!@, xrefs: 020E2B4C

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: $!@$,$^$ycz|
API String ID: 0-3869496633
Opcode ID: dacc9fbc2794b1f6d94a1fe947db830ab28ae54d49f502b510ad564070bd3a9e
Instruction ID: ba948b16285359995f55bc28a82b7bb275512771ed31fd7e38f980760502d8fe
Opcode Fuzzy Hash: dacc9fbc2794b1f6d94a1fe947db830ab28ae54d49f502b510ad564070bd3a9e
Instruction Fuzzy Hash: B732EF71E083548FDB04CF78C8913AEBFF1AB49324F1846ADD896A73D1D6388985DB52

Function 020E36F2 Relevance: 6.7, Strings: 5, Instructions: 446COMMON

Download Yara Rule

Strings

~>d0, xrefs: 020E3716
12, xrefs: 020E371E
e:d<, xrefs: 020E3732
LRf, xrefs: 020E38D2
HRf, xrefs: 020E38A9

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 12$HRf$LRf$e:d<$~>d0
API String ID: 0-2492380621
Opcode ID: 95d11f2b528a3cbbd6fc672cd3e997bc7cc7ecefc92320e33db5954d6424384b
Instruction ID: 2266bca78ac5e39e08f4de1b6f7bb291c24b8ab632c69319cbaa18c1bfbdde8b
Opcode Fuzzy Hash: 95d11f2b528a3cbbd6fc672cd3e997bc7cc7ecefc92320e33db5954d6424384b
Instruction Fuzzy Hash: FEC13571A083005FDB28DF2488926BBB7E1EF91324F1D956CE89697381E338D9849756

Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E

Function 020F92C2 Relevance: 5.6, Strings: 4, Instructions: 647COMMON

Download Yara Rule

Strings

nL>N, xrefs: 020F93A2
|~, xrefs: 020F937A
:, xrefs: 020F943B
Vtuv, xrefs: 020F938A

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: :$Vtuv$nL>N$|~
API String ID: 0-3788807405
Opcode ID: ade14b9d72d28de05d8d3afa69b034f0735ad1b023d55de446fe516c8a9d4a95
Instruction ID: 3f0d82447be0f64f913522ae3a6b0cdf21d5dcc3b74165623a589687f76d24bb
Opcode Fuzzy Hash: ade14b9d72d28de05d8d3afa69b034f0735ad1b023d55de446fe516c8a9d4a95
Instruction Fuzzy Hash: BD12FDB2A483409BD350CF64C880B9BBBE5FBC5714F18892DF6819B791D779D906CB82

Function 020D9E29 Relevance: 5.6, Strings: 4, Instructions: 579COMMON

Download Yara Rule

Strings

PR, xrefs: 020DA2DE
HO, xrefs: 020DA2E6
XG, xrefs: 020DA2F6
KK, xrefs: 020DA2EE

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: HO$KK$PR$XG
API String ID: 0-1829590549
Opcode ID: ec2bd1beddd6af801159e405beb10dedfb130d94ca506c108364c87c68f413be
Instruction ID: a62edcec742036551cdf960aae9cafdaf63eca13a86aebacd49597b21a9f662c
Opcode Fuzzy Hash: ec2bd1beddd6af801159e405beb10dedfb130d94ca506c108364c87c68f413be
Instruction Fuzzy Hash: 00F119726093108BC728CF28C8817ABB7E2FFD9714F599A2DE8C95B354E3749901DB46

Function 020E9C7F Relevance: 5.5, Strings: 4, Instructions: 517COMMON

Download Yara Rule

Strings

yL, xrefs: 020E9FF4
cv, xrefs: 020E9FEC
Oy, xrefs: 020EA004
HD, xrefs: 020E9FFC

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: HD$Oy$cv$yL
API String ID: 0-3619986075
Opcode ID: 0093d78f47166acbd76a8f0da67422d1189f5240c746ade36b22c47a8b9c1f59
Instruction ID: f2e34385e0ab47e2df5faf813da33a08637108b0cabdd97d8d07c11d6e3b99de
Opcode Fuzzy Hash: 0093d78f47166acbd76a8f0da67422d1189f5240c746ade36b22c47a8b9c1f59
Instruction Fuzzy Hash: 47D111B1A0C3218BCB24CF29C89136BB3E2EFD5314F18992CE9D65B790E3798941D746

Function 020DE49D Relevance: 5.3, Strings: 4, Instructions: 348COMMON

Download Yara Rule

Strings

4T0V, xrefs: 020DE507
Gx, xrefs: 020DE52F
G,Q., xrefs: 020DE598
'D'F, xrefs: 020DE527

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 'D'F$4T0V$G,Q.$Gx
API String ID: 0-1171825240
Opcode ID: 843b1d74c268665a03d9df7252fd1c9a4803e2c6ea6531953c0ea4c5912b644f
Instruction ID: fcb7b4a095049eca05d135aea186b4329a82518e762a34393898467951a19f23
Opcode Fuzzy Hash: 843b1d74c268665a03d9df7252fd1c9a4803e2c6ea6531953c0ea4c5912b644f
Instruction Fuzzy Hash: 049134759083108BC714CF25C8A2BABB7F1EFD1314F099A6CE8C98B391E7789544D796

Function 020CA3A2 Relevance: 5.2, Strings: 4, Instructions: 226COMMON

Download Yara Rule

Strings

"",', xrefs: 020CA430
)c[), xrefs: 020CA428
}, xrefs: 020CA468
'.>", xrefs: 020CA420

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: "",'$'.>"$)c[)$}
API String ID: 0-4233123008
Opcode ID: dd0c23818e54c131ccfd9d59e18724053dfa3d9400d82f863107a4ef844516f3
Instruction ID: e81e1825c4e0a44f6b3c1cbb021e42752bbb25cd54f902eb6e97e659b805aac0
Opcode Fuzzy Hash: dd0c23818e54c131ccfd9d59e18724053dfa3d9400d82f863107a4ef844516f3
Instruction Fuzzy Hash: B351E96120C3D68AD7128F35945076FFFE0AF93244F2899AEE4C597242C339C54AE722

Function 020DE187 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

<L(N, xrefs: 020DE1B2
|~, xrefs: 020DE392
{|, xrefs: 020DE1A7
-@aB, xrefs: 020DE18F

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: -@aB$<L(N${|$|~
API String ID: 0-808748806
Opcode ID: 9ec71d71c34a9541b7ad1f0ec3e9c12139c8f4ec45e7b48bf6a516cff28ef6c4
Instruction ID: 01cf3906f1b6d214ec88949e5227d53fd9326f80651e5c4724ae4236a2f14530
Opcode Fuzzy Hash: 9ec71d71c34a9541b7ad1f0ec3e9c12139c8f4ec45e7b48bf6a516cff28ef6c4
Instruction Fuzzy Hash: BA71FEB290D3849BD308DF69C85296FBBE2EBC1304F49991CF4D49B315C639CA09DB86

Function 020FC6D2 Relevance: 4.4, Strings: 3, Instructions: 634COMMON

Download Yara Rule

Strings

HRf, xrefs: 020FC7D8
f, xrefs: 020FC923
LRf, xrefs: 020FC812

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: HRf$LRf$f
API String ID: 0-855236467
Opcode ID: 61318849fa5ca7ed00cc6e06fa0a9861715aa42c66d1a312a38c38f6c6dd71fb
Instruction ID: 662898cd23733129f88b1ce9ba3c882e48984654507e9382d9f73d1947779ae6
Opcode Fuzzy Hash: 61318849fa5ca7ed00cc6e06fa0a9861715aa42c66d1a312a38c38f6c6dd71fb
Instruction Fuzzy Hash: 9D12037158C3458FE795CF24C881B2BBBE1EBC5318F188A2DE6D5976A1D730E841DB82

Function 020DD93C Relevance: 4.3, Strings: 3, Instructions: 510COMMON

Download Yara Rule

Strings

0, xrefs: 020DDDC9
;<, xrefs: 020DDCBD
-3/, xrefs: 020DDE1A

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: -3/$0$;<
API String ID: 0-2161355812
Opcode ID: 0bb427734fc8dd9ec9abef6a0b0e65a869a7e8a3542c76a1ee704a0bff58f30e
Instruction ID: dc7ec1bbe925f67c5a8fd06b14fe227a06cc796efb47af6b55e3edf716c20903
Opcode Fuzzy Hash: 0bb427734fc8dd9ec9abef6a0b0e65a869a7e8a3542c76a1ee704a0bff58f30e
Instruction Fuzzy Hash: 35D1787211A3418BC769CF28C4A1BBBBBE2FF96318F18555CE4D24B391E3798405D762

Function 020CAA32 Relevance: 4.2, Strings: 3, Instructions: 445COMMON

Download Yara Rule

Strings

s, xrefs: 020CAC01
RS, xrefs: 020CAE31
,, xrefs: 020CAD1F

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: ,$RS$s
API String ID: 0-3270998986
Opcode ID: 87f53a0a4daf606007bb89a4b55cc93c0a69d98983e286beb7df8982eb3ebe82
Instruction ID: 1e6b4a169b7974354569970dbf3626ea1ef7413490f0d99fede5641f7edb6f47
Opcode Fuzzy Hash: 87f53a0a4daf606007bb89a4b55cc93c0a69d98983e286beb7df8982eb3ebe82
Instruction Fuzzy Hash: B1D14BB2A083548BD718DF35C8516AFBBE2EBD1314F18892DE5D59B390D738C905CB92

Function 020ED587 Relevance: 4.2, Strings: 3, Instructions: 400COMMON

Download Yara Rule

Strings

oa, xrefs: 020EEAF5
$, xrefs: 020EEAFF
@0^v, xrefs: 020EEB53

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: $$@0^v$oa
API String ID: 0-716873481
Opcode ID: e3bfd9765cbe70a5df6900c577a396747c6e740a0ecc588a7d991f1133180e9b
Instruction ID: cf1d6755e6b60fdf1e90982f7199aa1cef2dc866585cb81333618f9acd59572c
Opcode Fuzzy Hash: e3bfd9765cbe70a5df6900c577a396747c6e740a0ecc588a7d991f1133180e9b
Instruction Fuzzy Hash: 24C1F371A0C3D18FD73ACF2984503ABBBE2AFD7204F18896ED4DA9B282CB744505C752

Function 020EE9C8 Relevance: 4.1, Strings: 3, Instructions: 373COMMON

Download Yara Rule

Strings

oa, xrefs: 020EEAF5
$, xrefs: 020EEAFF
@0^v, xrefs: 020EEB53

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: $$@0^v$oa
API String ID: 0-716873481
Opcode ID: 22a8de168c945b0a3061c55a024772c9e4e2ea676eaafbf0478ebf3bfab461d0
Instruction ID: 118d5239556b29f5f07eeb8c4a50d518dd73ad35b1d7f994fc86fa13f0a07df1
Opcode Fuzzy Hash: 22a8de168c945b0a3061c55a024772c9e4e2ea676eaafbf0478ebf3bfab461d0
Instruction Fuzzy Hash: C1B11471A083918FD73ACF29C4603ABBBE2AFD7210F18856ED4DA9B381DB754505C792

Function 020DAE59 Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

ZE, xrefs: 020DAE8F
5Z, xrefs: 020DAFB6
K\, xrefs: 020DAE97

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 5Z$K\$ZE
API String ID: 0-3402789328
Opcode ID: e4a26605fb95898e57386cbcab0a65f9622b03229af0cdb7eb3f466ed1e76423
Instruction ID: 797cfde95a88a921f5944c6f3e6a7c2a94e4ccadfb69c4194c65241dd0cf8f33
Opcode Fuzzy Hash: e4a26605fb95898e57386cbcab0a65f9622b03229af0cdb7eb3f466ed1e76423
Instruction Fuzzy Hash: 8F9167726093218BC725CF28C8A17ABB7F2FFC9754F098A6DE4D64B694E7388501D742

Function 020EA272 Relevance: 4.0, Strings: 3, Instructions: 205COMMON

Download Yara Rule

Strings

0:41, xrefs: 020EA296
7, xrefs: 020EA2B6
82<9, xrefs: 020EA2A6

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 0:41$7$82<9
API String ID: 0-1187993781
Opcode ID: 92259766b158d09afd5443e074bc2e698efaa555a2aaf35817fde80188ce1e5b
Instruction ID: 878cea9aaa5576d1afba80299935d6a3a140a236897901a74fda73b6aec92bb4
Opcode Fuzzy Hash: 92259766b158d09afd5443e074bc2e698efaa555a2aaf35817fde80188ce1e5b
Instruction Fuzzy Hash: EB61E2B250C3818FC721CF28C48076EBBE2AFD6200F198A5DE5D687282D735D94ADB52

Function 020CEB72 Relevance: 4.0, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

715F, xrefs: 020CEC80
4516, xrefs: 020CEC79
BC09, xrefs: 020CEC87

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 4516$715F$BC09
API String ID: 0-2816261542
Opcode ID: ed4637a98e98668c163f6f3393edd73b9640235a52ec5922644893961c039e8d
Instruction ID: 0e30dbe4b1109105738a17910082f6eadd482c16a239d9620263dd548e3c600c
Opcode Fuzzy Hash: ed4637a98e98668c163f6f3393edd73b9640235a52ec5922644893961c039e8d
Instruction Fuzzy Hash: 4A51F3B5600B418BD765CF39CC916A7BBE3BF8A314B58C56CC4968B705DB38E442C750

Function 020DC7C2 Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

/pqr, xrefs: 020DC7F0
_, xrefs: 020DC8DA
+|-~, xrefs: 020DC7E8

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 9ab47c0ce2bc290ed1c2c55ff70e9872b734cb922de93da0ecb2b53517232944
Instruction ID: 5effb4f4dbf85f5d0b9c1f7234e07fe65db32373a2137d1b957eec048da7e607
Opcode Fuzzy Hash: 9ab47c0ce2bc290ed1c2c55ff70e9872b734cb922de93da0ecb2b53517232944
Instruction Fuzzy Hash: 30510F9410879049EB15EF348896B3A7BF1AF49302F1994DECC99DF777E228C2418B5E

Function 020E7802 Relevance: 3.8, Strings: 3, Instructions: 96COMMON

Download Yara Rule

Strings

R<V), xrefs: 020E816A
08, xrefs: 020E80A8
9=, xrefs: 020E80B0

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 08$9=$R<V)
API String ID: 0-768003476
Opcode ID: 4c62ea6d86867b7855b2ce711ff6e833b081c197e1b09fa2951255e3ba94a491
Instruction ID: 563ed4141c9f7c8d375af197f02480bcabfa08a4bd4a84c35f5b093e8699b449
Opcode Fuzzy Hash: 4c62ea6d86867b7855b2ce711ff6e833b081c197e1b09fa2951255e3ba94a491
Instruction Fuzzy Hash: D13167B4A0C3908FD721DF68944179BBAF5FF82300F409A1CD4E9AB262D77985468B87

Function 020C6452 Relevance: 3.3, Strings: 2, Instructions: 819COMMON

Download Yara Rule

Strings

8, xrefs: 020C6DA8
0, xrefs: 020C6DB0

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: b482b8dca7505235c47c4b39858269964b1fc8baed2c7781a967c76a604964c7
Instruction ID: 60437a59265831fca073a34e1028ff94903fcc9af932c6f2f6aa272207f56268
Opcode Fuzzy Hash: b482b8dca7505235c47c4b39858269964b1fc8baed2c7781a967c76a604964c7
Instruction Fuzzy Hash: FF7244B16083409FD765CF18C890BAFBBE5AFC8314F14892DF98987291D376D948DB92

Function 020EDFEE Relevance: 3.0, Strings: 2, Instructions: 502COMMON

Download Yara Rule

Strings

9k>m, xrefs: 020EE57B
., xrefs: 020EE345

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: .$9k>m
API String ID: 0-54712659
Opcode ID: ab9ec98462c4bee29d9e849343b9788ce5f6dfa8b0cfb25abc92ee9c97f811ea
Instruction ID: fece19d82f8ff93871f0eec10f789685d57180e665640821d424e5f912d38b8a
Opcode Fuzzy Hash: ab9ec98462c4bee29d9e849343b9788ce5f6dfa8b0cfb25abc92ee9c97f811ea
Instruction Fuzzy Hash: E8E1E36174C3D18FD7798B69C8903ABBBE2ABD3214F18896CD4CA4B382DB7444898753

Function 020E21F2 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

234, xrefs: 020E2392
Cz{|, xrefs: 020E26C1

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 234$Cz{|
API String ID: 0-3276881663
Opcode ID: f90738bba1fa0a06b7d38f4a190de4ef271c1ef3499fa87bfc53af5663af49b2
Instruction ID: e527d6d388a0c77f4715eea589732829980ffa4794dc1370365c4f5a28d58cd0
Opcode Fuzzy Hash: f90738bba1fa0a06b7d38f4a190de4ef271c1ef3499fa87bfc53af5663af49b2
Instruction Fuzzy Hash: C4C1CCB15183408FC724CF25C86176BB7F1FF92324F098A1CE8928B3A0E7799585DB92

Function 004045CC Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

el32, xrefs: 004049AA
gl32, xrefs: 0040499D

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID: el32$gl32
API String ID: 0-1212234834
Opcode ID: 8e17e6a64b3ee16fdded42f1a6de0052cb5018a70dd96dfd68482eab30a148d7
Instruction ID: 02101077e77780d3e5a867c24458e1e1348b5550a5d12dbbbc9ef6fbe0400e7a
Opcode Fuzzy Hash: 8e17e6a64b3ee16fdded42f1a6de0052cb5018a70dd96dfd68482eab30a148d7
Instruction Fuzzy Hash: 26D1F677D503248BD744FF76EE8646A3762FB90308346963EE942B71A6CB3854029ACD

Function 004045DC Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

el32, xrefs: 004049AA
gl32, xrefs: 0040499D

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID: el32$gl32
API String ID: 0-1212234834
Opcode ID: 90a6764f69772e0139636565ddee076a69a6722ff7019c52dcb7e6063c5d2ff4
Instruction ID: 887d9ac0dbd09b8908d44a3f65f49d7bd7cf9cf3cbb880048f87350c958397da
Opcode Fuzzy Hash: 90a6764f69772e0139636565ddee076a69a6722ff7019c52dcb7e6063c5d2ff4
Instruction Fuzzy Hash: FED1F877D503248BD744FF76EE8646A3762FB90308346963EE942B71B6CB3854029ACD

Function 004045F0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

el32, xrefs: 004049AA
gl32, xrefs: 0040499D

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID: el32$gl32
API String ID: 0-1212234834
Opcode ID: c698c0eb1fc7ec2115f04fad65252df148a37f3900665569620039af56b0ce23
Instruction ID: 1a75c52cf38217e82ac9f0050e96ce052cb3f80f67ae44a4a654fcdebe848d34
Opcode Fuzzy Hash: c698c0eb1fc7ec2115f04fad65252df148a37f3900665569620039af56b0ce23
Instruction Fuzzy Hash: FCD1F577D503248BD744FF76EE8646A3762FB90308346953EE942B71A6CB3854029ACE

Function 020ED073 Relevance: 2.9, Strings: 2, Instructions: 400COMMON

Download Yara Rule

Strings

./#!, xrefs: 020ED3C7
;<, xrefs: 020ED4D1

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: ./#!$;<
API String ID: 0-1180879440
Opcode ID: 3beae18a57c322ecd55e7cf3f7a619580026c0784fcb9b6da2d2a27442ed926a
Instruction ID: a8bc43afc8898a3b1b73ff40815611dcea10b8593fbbd28a54c6f444142d834c
Opcode Fuzzy Hash: 3beae18a57c322ecd55e7cf3f7a619580026c0784fcb9b6da2d2a27442ed926a
Instruction Fuzzy Hash: 4AC1E27450D3D18FDB268F2584907ABBBE1EF97204F18885CD4C99B242C779814ADB57

Function 004045F4 Relevance: 2.9, Strings: 2, Instructions: 399COMMON

Download Yara Rule

Strings

el32, xrefs: 004049AA
gl32, xrefs: 0040499D

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID: el32$gl32
API String ID: 0-1212234834
Opcode ID: 2754846b1aa9a88a47e10ad604bbd367bb886732151d522c27538078f281f10f
Instruction ID: 27900ccd5920fd3491cf02ca7c80f9f29c025962daadb15184cd21d0f9f6c31f
Opcode Fuzzy Hash: 2754846b1aa9a88a47e10ad604bbd367bb886732151d522c27538078f281f10f
Instruction Fuzzy Hash: 3DD1F677D503248BD744FF76EE8646A3762FB90308346953EE942B71B6CB3854029ACE

Function 020C9882 Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

YQRS, xrefs: 020C9A45
-, xrefs: 020C9C33

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: -$YQRS
API String ID: 0-2670003640
Opcode ID: 26ea06ad9296961eaab7ccac087bbd4c11775cab4828ad22ee13998c213da068
Instruction ID: 7744dd8dd795a339cbafbd2f57426ee1edc1ae2ea4f6e7b637db0b57f88171b3
Opcode Fuzzy Hash: 26ea06ad9296961eaab7ccac087bbd4c11775cab4828ad22ee13998c213da068
Instruction Fuzzy Hash: D2B14AB2B083454BC31D8F29D89027EB7E2EBC4314F298A2EE496C73D5D778D9059B85

Function 020C5B22 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 020C5F13
), xrefs: 020C5B9D

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 82cde622111fdd8a6262c0cc06c2a16aea45c9fea288912f122ae4edc8743992
Instruction ID: a6618091f14b1c988c9ae8fc0f4a0d170885ec14fce3616e4b52fe529d13a49d
Opcode Fuzzy Hash: 82cde622111fdd8a6262c0cc06c2a16aea45c9fea288912f122ae4edc8743992
Instruction Fuzzy Hash: F7D19EF15083449FD720DF14CC8579EBBE4AB94304F64892DF999AB381D375E908DB92

Function 00405854 Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

ualA, xrefs: 00405C81
ualA, xrefs: 00405B93

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID: ualA$ualA
API String ID: 0-558424217
Opcode ID: c345c73ad09b03db6a284c8437bab3517d97960114e0065339adbc9a0d58e072
Instruction ID: 9eaeec9fc94797bde6615210e1940a34a05c262dbc2ca1ae6ee7a7fea16147d3
Opcode Fuzzy Hash: c345c73ad09b03db6a284c8437bab3517d97960114e0065339adbc9a0d58e072
Instruction Fuzzy Hash: 59A136769543258FC308EF7AEE8646A3252F7C0318346963ED543FB5AACF3815428ACD

Function 004058B4 Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

ualA, xrefs: 00405C81
ualA, xrefs: 00405B93

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID: ualA$ualA
API String ID: 0-558424217
Opcode ID: cfff2bbad089ca8a092358ed4c0f23b685080854cce633138b1806ca0b3c8240
Instruction ID: f89fd5167e97bdab6211a4f445e5bb93c5c306dd307a74eb080b5580a211e9d3
Opcode Fuzzy Hash: cfff2bbad089ca8a092358ed4c0f23b685080854cce633138b1806ca0b3c8240
Instruction Fuzzy Hash: 069124369583258FD318EF7AEE8646A3252F7C0318346963ED543FB5AACF38154286CD

Function 020ECBF1 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

KupQ, xrefs: 020ECCA1
IDIE, xrefs: 020ECC8B

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: IDIE$KupQ
API String ID: 0-2933137991
Opcode ID: 1d7282ec3efbb629d1c424745926d94a7c74e797e7d6308f05b5b30acd2b9860
Instruction ID: 9ed53cb481cd4607ece6af91bc302b67cfe1987eaf549c5712da96c3588cdbcc
Opcode Fuzzy Hash: 1d7282ec3efbb629d1c424745926d94a7c74e797e7d6308f05b5b30acd2b9860
Instruction Fuzzy Hash: 51512CB2D0C3E04AD7398B3584513A7BFD2ABD3218F1D85AEC9D96B286D73644038746

Function 020ECB9B Relevance: 2.7, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

KupQ, xrefs: 020ECCA1
IDIE, xrefs: 020ECC8B

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: IDIE$KupQ
API String ID: 0-2933137991
Opcode ID: 9e67a76d2ff6c99442b3d6d5fc412d491b4b045acf56f51acddc395d841b9351
Instruction ID: 82e674674eee7a6d41484138e4c33e05442c5645f71ba214d985cc06c3fd76d2
Opcode Fuzzy Hash: 9e67a76d2ff6c99442b3d6d5fc412d491b4b045acf56f51acddc395d841b9351
Instruction Fuzzy Hash: 4E513BB190C3E04ADB358F3584503A7BFD2ABD3218F1985AEC9D67B246C7364407D756

Function 020ECB6B Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

KupQ, xrefs: 020ECCA1
IDIE, xrefs: 020ECC8B

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: IDIE$KupQ
API String ID: 0-2933137991
Opcode ID: dd10bc4212e20131b524c816dab9cb029697992fbb35e90c49cc2a3f464bea17
Instruction ID: f800eadfd53a642ac3858a9fe5fe3bd58671ff05b564f38e26f1e04255146db6
Opcode Fuzzy Hash: dd10bc4212e20131b524c816dab9cb029697992fbb35e90c49cc2a3f464bea17
Instruction Fuzzy Hash: 30413CB190C3D04ADB35CF2584513ABBFD2ABD3218F1885AECAD96B283C7354403C756

Function 020D8FA0 Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

!d, xrefs: 020D8FEA
!d, xrefs: 020D9030

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: !d$!d
API String ID: 0-1514213583
Opcode ID: feb579ea7e6cb0e806f2f23b4440d9372b40a84398e7398206d6e813a5b2b410
Instruction ID: c3c9b201dbd2eb37449ea329a93954022622fb03be13526461079e23f2152884
Opcode Fuzzy Hash: feb579ea7e6cb0e806f2f23b4440d9372b40a84398e7398206d6e813a5b2b410
Instruction Fuzzy Hash: 652145346623109BE76E8B14CC92F7A72E7FB99301F94842CE282A31D1EB30A511970A

Function 020DCF02 Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

cwdc, xrefs: 020DCF22
e8, xrefs: 020DCF32

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: cwdc$e8
API String ID: 0-2079913055
Opcode ID: 0f51b8f6ac32737438fca14280f25893de379916851452ccd22639846337bf36
Instruction ID: bbc59b9b089535e58ee6634bf44ae2996ec25113f3ce76ffdfb0a7046eadf86b
Opcode Fuzzy Hash: 0f51b8f6ac32737438fca14280f25893de379916851452ccd22639846337bf36
Instruction Fuzzy Hash: D7213A7161E3818BD395CF2984A17AFFBE2AFC2204F58986DE0D587341DB34C505CB02

Function 020CF253 Relevance: 1.9, Strings: 1, Instructions: 644COMMON

Download Yara Rule

Strings

.8=6, xrefs: 020CF6B9

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: .8=6
API String ID: 0-4001590814
Opcode ID: 4008c04f25b87cda6aba7019eade33a8da00453663ec1fd503b0cd7ef1a541f9
Instruction ID: db6166a2aba35cffdecd1ca7b8447f54028d96f3bbb81dcf1c49a9ce531cf9e3
Opcode Fuzzy Hash: 4008c04f25b87cda6aba7019eade33a8da00453663ec1fd503b0cd7ef1a541f9
Instruction Fuzzy Hash: BA2217B56007418FD32ACF29D8D1A62BBF2FF9621471985ADD4968F762D334E806CF11

Function 02100CE2 Relevance: 1.7, Strings: 1, Instructions: 402COMMON

Download Yara Rule

Strings

DEFG, xrefs: 02100D62

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: DEFG
API String ID: 0-234382317
Opcode ID: d5de0e57f16a8e8e91635c7f076ff979dd3c76d6def964305493cc9c818af503
Instruction ID: 4a4d19f22ba167e643400b988b649fa9b0b25ef9d8aa2dea6c60bd1ac8045b18
Opcode Fuzzy Hash: d5de0e57f16a8e8e91635c7f076ff979dd3c76d6def964305493cc9c818af503
Instruction Fuzzy Hash: D1A14332B883104BD7288E28C89067FB7A3EBC9314F1EC53CD9965B384DB75AC058782

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Function 020DF052 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 020DF11D

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 3d95f8db1ec994b5d0c02fa6d1c4e44fee0ec464cd1914f81912a8cdf20a16ba
Instruction ID: 83a39cf16fe900d27518a14648350829527686d2a49485f6cca4d03155703b9c
Opcode Fuzzy Hash: 3d95f8db1ec994b5d0c02fa6d1c4e44fee0ec464cd1914f81912a8cdf20a16ba
Instruction Fuzzy Hash: 42814C765053624FCB128E28C8543AEBBD1AB95224F19C23DDCBA9B7C1D734D805E7D1

Function 020E98D9 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

h5z7, xrefs: 020E99C8

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: h5z7
API String ID: 0-2417693688
Opcode ID: b5a1b98a36e0722e9944fa8836647d82bdd2e7df30f2c9f9e4aee75dd4919a37
Instruction ID: fc4bcdb6466847d989464ab8d729fc477ce408b3519b54e43565bc3ed9972352
Opcode Fuzzy Hash: b5a1b98a36e0722e9944fa8836647d82bdd2e7df30f2c9f9e4aee75dd4919a37
Instruction Fuzzy Hash: 1D6100B19483158ADB20CF14D81176BB3F1FFE5354F189A1CE8D24B391E3799A80D786

Function 020EBF12 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 020EC110

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: eb94c974b951754a2525f93f6faea5d023f1c964458aec1997ffcaecddb49e83
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4D71F932A083158FEB15CE29C88031EB7E2BBC5714F19C56EE49687351D376DDC49B82

Function 020F1D82 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

d, xrefs: 020F1E13

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 68c61f0a19fd474ca282dc414d38f859da30e0f8bac3cf088e6750033e935a97
Instruction ID: 36102e5d39bb4f92f7c3b16fbfe72d8b35ae7c7d4b5231b93843629a84bc8ed4
Opcode Fuzzy Hash: 68c61f0a19fd474ca282dc414d38f859da30e0f8bac3cf088e6750033e935a97
Instruction Fuzzy Hash: 11711A376897908BD32D8E3C4C612AABE934BD7230B1E876DEAF58B7E1D66548059340

Function 020E6AC2 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

UV, xrefs: 020E6CFF

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: UV
API String ID: 0-69029679
Opcode ID: 125180757b677d8c3921de73fe6bb8a63f2bb981cd736e6a368f0068a28dff29
Instruction ID: 2815722fcd799d2185427676bd0fe5c194aa05a308dbb912d5acc86ea7cf05d7
Opcode Fuzzy Hash: 125180757b677d8c3921de73fe6bb8a63f2bb981cd736e6a368f0068a28dff29
Instruction Fuzzy Hash: D1611FB19093418BC710DF14D8916ABBBF1FFA2324F198A1CE9C64B390E376C585DB86

Function 020DB357 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

W<, xrefs: 020DB438

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: W<
API String ID: 0-2605491691
Opcode ID: deec05a1240d17140825e07fad2984c92f390d8d84ad10f463814f8984444530
Instruction ID: 1bc364fb5bd7284175df30c9d1196a2216300dbba3ee25092e551a5025e3bf42
Opcode Fuzzy Hash: deec05a1240d17140825e07fad2984c92f390d8d84ad10f463814f8984444530
Instruction Fuzzy Hash: 8B3124708053818BC72ACF24C4A27EBB3E0FF96318F054E5DD8E64B291E3B8A545D792

Function 020FDEF4 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

0?>=, xrefs: 020FDF23

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: 0?>=
API String ID: 0-3891647100
Opcode ID: 48e059d27937dbb3337ee48a2cf5f1b3fbb63c7acc6e8546127554b78a436b04
Instruction ID: c84fcb22e7708a177ff92e7d0b609f45c78cc9c0c602d058b2580849f38474cd
Opcode Fuzzy Hash: 48e059d27937dbb3337ee48a2cf5f1b3fbb63c7acc6e8546127554b78a436b04
Instruction Fuzzy Hash: B74158B7F542104BDB68CF68CCD0A7AB363FBD6214B2A9278C662977A5C7309C028745

Function 020DACFC Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

a, xrefs: 020DADD5

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: a
API String ID: 0-3904355907
Opcode ID: fe73f7f3435d7204f2e11eb17e9a91cbb49dd8f8dccdbdc38cd4fe6c9be481a3
Instruction ID: 4b1d9580fe6aaeca32fd3617de3017428041f0122282843273e9d01596fab643
Opcode Fuzzy Hash: fe73f7f3435d7204f2e11eb17e9a91cbb49dd8f8dccdbdc38cd4fe6c9be481a3
Instruction Fuzzy Hash: 17310B73A193508BD305DF28C8805AEBAE3FBC9300F494A5CE5D867750D7718A05DB57

Function 020E5A65 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

!d, xrefs: 020E5A74

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID: !d
API String ID: 0-3903867909
Opcode ID: 75aaf7df1149021f5261021a914d1fcc2b0d78f7d1dd06d122ee8d6748a48831
Instruction ID: 83612cbe17ee3b6b46f68a1af2670acae628ebd9be234ca74e6d3a6b33ac71db
Opcode Fuzzy Hash: 75aaf7df1149021f5261021a914d1fcc2b0d78f7d1dd06d122ee8d6748a48831
Instruction Fuzzy Hash: E21121313A87049FCB558FA4CCC096AB7F2FB96308F98097CE6A117262D3709841DB46

Function 020D21A2 Relevance: .9, Instructions: 901COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89af8b84d965cc36c3c1016dc0a4f9083dd2f835a324059e58ebbc940991565c
Instruction ID: 6fb08371ec16a491d1e9548bfc35265bf88b51c8814dd0f0be943ca26fa27081
Opcode Fuzzy Hash: 89af8b84d965cc36c3c1016dc0a4f9083dd2f835a324059e58ebbc940991565c
Instruction Fuzzy Hash: BA72E9B2A05B408FD715DF38C88536ABBE2AF95310F198A7DD8EA873D1D635E405DB02

Function 020C4722 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d62fa36bec45681f75607a2416d3919e8532adfda70d3637d4176e81aac0ba
Instruction ID: c51308a770f1d8fd8194d88de6631433603338793ace00f44feeb900085063a1
Opcode Fuzzy Hash: 53d62fa36bec45681f75607a2416d3919e8532adfda70d3637d4176e81aac0ba
Instruction Fuzzy Hash: B452BFB15083458FCB15CF28C0A06AEBBE1FF88318F298A6DE8D957341D774E949DB85

Function 020C7E62 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99025503f6961f9fe6108dbae163502fadd5235fbbb0a12605ec2cb5db1e2c4b
Instruction ID: dc75282c46531a702d8b6f9c96c92e50827c0960ef4e9a17290b73b62a467989
Opcode Fuzzy Hash: 99025503f6961f9fe6108dbae163502fadd5235fbbb0a12605ec2cb5db1e2c4b
Instruction Fuzzy Hash: D852D7F0908B848FE777CB24C4883AFBBE1EB41314F24896DD5E606AC2D379A585D749

Function 020C8C42 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae0cce2e7c03b18b9504392e5a9e0d51011ee08d27993f89b83f822f2d37276
Instruction ID: 66f4aa70ace42e79a7848d87666ecef464cb6f2d00a76777650576071bbf8f2c
Opcode Fuzzy Hash: 0ae0cce2e7c03b18b9504392e5a9e0d51011ee08d27993f89b83f822f2d37276
Instruction Fuzzy Hash: 4412E2B2A087558BC725DF18D8806BFB3E2FFC4319F29892DD9C687284D734A811DB46

Function 020C5172 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ce365efed15439f91f7cd96561927a701604761550cb70a059b85a89283ba1
Instruction ID: 084aeef5b63ebed2c881587a175d158d3e98dd6ebfa2c9b63367c1aa12e4857d
Opcode Fuzzy Hash: 79ce365efed15439f91f7cd96561927a701604761550cb70a059b85a89283ba1
Instruction Fuzzy Hash: 213234B8515B108FC379CF29C99052ABBF2BF45210BA04A2ED697A7F90D736F445DB10

Function 020D2D0C Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a8b0975ba6b7d4fc11390cee1aa81942727625cf63e848eb3f09b6f25ff76d
Instruction ID: 3dde12ba71dc250034c496040acca1e159ac8756eadb7d3ad61850dd061ae6bb
Opcode Fuzzy Hash: 74a8b0975ba6b7d4fc11390cee1aa81942727625cf63e848eb3f09b6f25ff76d
Instruction Fuzzy Hash: 8432D4B1A05B408FD724EF38C4953AABBE2AF95310F148A6DD4EB87391D735E409DB42

Function 0040840C Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55

Function 020D00F2 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8febef6685cf24486d77ca7708b644d63d2a4b135186ac7d21ae91547ba95175
Instruction ID: 769e329cfc0f94aa9119326c3eb4ee6c21a1a5217c2fbcc70c92134d1d2a5adf
Opcode Fuzzy Hash: 8febef6685cf24486d77ca7708b644d63d2a4b135186ac7d21ae91547ba95175
Instruction Fuzzy Hash: F202E9F1905B00AFC3A1CF3AC946797BEEDEB4A360F14491EF5AEC7240D63565058BA2

Function 020F9CC2 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb5a495243add10bfa5ee9b51a8973b1789339223ee017afd647bfd5cc345d3
Instruction ID: 00c396db8d7fe330491c49a86ed1b7d399deb2892eb9f78ed3c15a4620ee423c
Opcode Fuzzy Hash: ffb5a495243add10bfa5ee9b51a8973b1789339223ee017afd647bfd5cc345d3
Instruction Fuzzy Hash: 3BB158316883049BD7A5CF24C880B6BBBE6EBC5318F15892CE7D957691D731EC05EB82

Function 020C7172 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61242a3ec428c69189e9d0599d99559f8402a195c3483dfe4c9a938412d44646
Instruction ID: b68fffd6857114e15f1bd93cfef5b0b00406c5142a6f794e890ba1f6bc741f98
Opcode Fuzzy Hash: 61242a3ec428c69189e9d0599d99559f8402a195c3483dfe4c9a938412d44646
Instruction Fuzzy Hash: FDE178B12083818FD321DF69C880A6FFBE5EF98204F54882DE5D587761E375E948DB92

Function 020D5E42 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cb7022f27d583263c619afea43001496b97777da7282b309b5d7c8bf801a67
Instruction ID: 1757106ec17bb15fc1d695eed6e7c8a0cf3c3ba7634f717cdb7e0e8e362656fc
Opcode Fuzzy Hash: f8cb7022f27d583263c619afea43001496b97777da7282b309b5d7c8bf801a67
Instruction Fuzzy Hash: CA81E0715053048BD714AF28CC627A7B7F1FF85324F098A2DE8928B391E7B9D908D756

Function 020E3362 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8fda7dc3e3f10bf5951faa8307335cbe8bfcc380665bd3d2d7b15aac8646fb
Instruction ID: 566548ec14ddcb382d6d07bdcdd6c140a46d337ffe20deba42dc0702d5750465
Opcode Fuzzy Hash: bd8fda7dc3e3f10bf5951faa8307335cbe8bfcc380665bd3d2d7b15aac8646fb
Instruction Fuzzy Hash: B6A1CEB16083419FCB149F24C891BBBBBA1FFC4318F14895CE98A8B381E775E945DB52

Function 021009A2 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e3d902446da92d2c5f7b1b9b0da3b8e7261267eba95c43fdbdbeb0a584a330
Instruction ID: dbc093b84a05b4fc319893b1341fb91b5314e22b9303507ce860c55602e511d6
Opcode Fuzzy Hash: 12e3d902446da92d2c5f7b1b9b0da3b8e7261267eba95c43fdbdbeb0a584a330
Instruction Fuzzy Hash: 009105356883158BC7289F28C8D0B6BB3E2FB88714F19853CE9959B394EB71EC45C741

Function 02100682 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4e56e44c9988b849d154d62c06baeddd75874446e0c9c9bf3dc5ce6994d236
Instruction ID: 355cd6869daa9365bacb6094bc3171cd23681636bc2bad010090c80000656b44
Opcode Fuzzy Hash: 1b4e56e44c9988b849d154d62c06baeddd75874446e0c9c9bf3dc5ce6994d236
Instruction Fuzzy Hash: D7910335A883058BD7149F28C890B6B73E2FFD9714F19853DE9898B395EB70E811CB81

Function 020E7462 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1457b23521a91baa183de2e8582065ec954a7eb7f432b2df5e24a079f32d492d
Instruction ID: a94de5b09d8d6ac6e3789d699ba38284af6a4cceb31888f9a7beb7b1b4499bae
Opcode Fuzzy Hash: 1457b23521a91baa183de2e8582065ec954a7eb7f432b2df5e24a079f32d492d
Instruction Fuzzy Hash: C99117B2A043104FDB289F68CC96B6BB3E2EBD1308F19843DD987872A5E738D945D751

Function 020C79D2 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b79e815784397d878c460c927ca73852a8a646888c8050010eebc084a4cdb3
Instruction ID: 89c05d1b3c9bc8155856f7089694231bad99b9e6e8ceb1750b7a1416617761ed
Opcode Fuzzy Hash: 44b79e815784397d878c460c927ca73852a8a646888c8050010eebc084a4cdb3
Instruction Fuzzy Hash: 18C16CB2A087418FC360CF28CC86BABB7F1BF85318F18892DD1D9C6252E778A155CB05

Function 02100392 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c298a8eb4cb382bcc77e3234aa9cf5843b4c3f814b0bf82b1a67344acb707ac
Instruction ID: 8d769f2c9df8993ec9bfda1014434e5d390ab802e2aceee58a30737e2b6d4d3a
Opcode Fuzzy Hash: 9c298a8eb4cb382bcc77e3234aa9cf5843b4c3f814b0bf82b1a67344acb707ac
Instruction Fuzzy Hash: 248126366853118BC7249F28C8D0B6FB7A2EFCC754F1A852CE9959B3A4DB70E851C781

Function 020DF512 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2414a1a90e1d08a6129117832b489066f250707ad83306baf5ff26a18860d7
Instruction ID: 02457361bf9a1dc83e3c4b264acc7cce7cfed104c1f115a7ff45238d39822ae8
Opcode Fuzzy Hash: bd2414a1a90e1d08a6129117832b489066f250707ad83306baf5ff26a18860d7
Instruction Fuzzy Hash: CB711737B4AB9247E328893C4C253AA7AD30BD3234F2DC77EE5B68B7E5D56548019340

Function 020FBFB2 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d96485befee8235c2f30b6018d8ded46f807b2373d3043f7dada73ba83ee799
Instruction ID: 5a1eabb9a52439c145eeb8ca7daea81acfb749dd1377f9223e178eec2236ec01
Opcode Fuzzy Hash: 8d96485befee8235c2f30b6018d8ded46f807b2373d3043f7dada73ba83ee799
Instruction Fuzzy Hash: 4A517C717883044FE3A5DF28CC8162BB7E2EBD6314F28893ED78197741D731A816AB12

Function 020F8FA2 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d80c49381b62056c50eb6e2069c9ebdb6415fb32587307115fea77fd02697e2
Instruction ID: 9489cadfc57028ffebb9f65e8ae4063548852343402475218b0c1b32ff296df2
Opcode Fuzzy Hash: 9d80c49381b62056c50eb6e2069c9ebdb6415fb32587307115fea77fd02697e2
Instruction Fuzzy Hash: AC91343158C3858BC3958B2C888436EBBE1ABCA328F184B6DE6E5877E1C375C545D747

Function 020CE7DA Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f103b7b59b6263a90c6b95f954683e57fa3c029ac85479d74bb1740069586f
Instruction ID: 1104e62ed91c9303a940d24b5f9a2751a440de8b5bf89f5d7809124bdf1f2bb2
Opcode Fuzzy Hash: d4f103b7b59b6263a90c6b95f954683e57fa3c029ac85479d74bb1740069586f
Instruction Fuzzy Hash: 6051D3B93983408BE76ECF15C8D0A3973A7FBD9304B79957CC58657661CB30AC01EA15

Function 020C0000 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9bbba2d45ac230f0f69769ca10a7cb41ae09c5558e4a776c371d4608edba11
Instruction ID: 1a47f82245e82a3ee99617d2037d5fcc128250f1c5e0fab9acdbad512c5b54d6
Opcode Fuzzy Hash: 7f9bbba2d45ac230f0f69769ca10a7cb41ae09c5558e4a776c371d4608edba11
Instruction Fuzzy Hash: CF8195B69543218FE34CCF39EE965A63BA2F780314301923ED942E7675DB3851458BCC

Function 020E4F61 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c49f9fbf494971df7976483a720df3bd6969ead224a28774ce98057b7019990
Instruction ID: b8f07374734b745f250a7f5d69fc604856d3a3352574c8ea2779fb0ea3564d4b
Opcode Fuzzy Hash: 0c49f9fbf494971df7976483a720df3bd6969ead224a28774ce98057b7019990
Instruction Fuzzy Hash: 1251FAB1A503008FDB14DF25C892BAA3F72FB45304F5591ACD9569F35ACB358842DB85

Function 020F35E2 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526873104174284fe48d938f4529c780dcacaffbe3c1effbbae70a102d0ce669
Instruction ID: ba51937698db2abc082f010d8108346b85dd7f4cd7df4067033c9c2bb97e5800
Opcode Fuzzy Hash: 526873104174284fe48d938f4529c780dcacaffbe3c1effbbae70a102d0ce669
Instruction Fuzzy Hash: 6E611936B89BD047C3689F7C4C61279BA434F97230B1EC3BEAAF687BE1D61448159390

Function 020E7BA7 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8a0dac19ec6aca44e564460274412bd6f62cf979ad0c3e663c3060c251177c
Instruction ID: 65dcbbec6a8665e072b397e6c249d8cac178e8aad7b8ebfd7db24162f48c6511
Opcode Fuzzy Hash: 2c8a0dac19ec6aca44e564460274412bd6f62cf979ad0c3e663c3060c251177c
Instruction Fuzzy Hash: 737114F2D002428FDF25CA68C4516FEF7B2AF98300F59446AC953AB351D734AE82DB91

Function 020FA2C2 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977b067070f21a98eded21a2731cc20525834af76ba09e01110c0a482553f65d
Instruction ID: f3bcdde5cb42c4e9822bc56bce9b92a462fa8c579b583be0e8888ddd8dfd762f
Opcode Fuzzy Hash: 977b067070f21a98eded21a2731cc20525834af76ba09e01110c0a482553f65d
Instruction Fuzzy Hash: B7515A71B4C3948FCB658A28C4903AFB7E2EBC6204F09855DF6CA8B746C239ED45D781

Function 020F8832 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fe9a7ff1e933d72a7d4168b964afefdca25735b7ba55603740c0c5842501f6
Instruction ID: 8d71c8aa57213cf2c1eb99010929464c1c08b99b2f818f50c1efa2fb2dbe854b
Opcode Fuzzy Hash: 75fe9a7ff1e933d72a7d4168b964afefdca25735b7ba55603740c0c5842501f6
Instruction Fuzzy Hash: BE516CB16087548FE354DF29C89439BBBE1BBC4318F048A2DE5E987750E379D6089F92

Function 020E966C Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531a253513d854624832f0f1268352e5db5cbc68b95306a6018bd7d5f2f5c087
Instruction ID: 5630b9b0fa7304700fca649b3d5a4dc4fe2803f2311ab0612eeaba16f9f58cfd
Opcode Fuzzy Hash: 531a253513d854624832f0f1268352e5db5cbc68b95306a6018bd7d5f2f5c087
Instruction Fuzzy Hash: 8441A1B365C3154FD328CEA9D88139FF6E2FBC4204F09883ED8A597241DA74D6098B92

Function 020FEB43 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afe8cd4c5a2d91c98129b5cd345144b10a66f38c75592216988112a80974251
Instruction ID: 10fb2e0dc99d17b590fdb1111a7520d910d6fe7b22fe27cd6d6e247f1ad02d88
Opcode Fuzzy Hash: 3afe8cd4c5a2d91c98129b5cd345144b10a66f38c75592216988112a80974251
Instruction Fuzzy Hash: 2D314737B893A00BC309DF68DCC0616BBD1FBDA314F0F127D95D4972A2DB6489018B84

Function 020EC202 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e52d2553846501074cc6eac3487469e17430b95ddd4215b40ccac7d1349af2
Instruction ID: c9ce1914e6c52cc0e3f45646c5667012c50df846367a4cfd74af914dc133ef6a
Opcode Fuzzy Hash: 25e52d2553846501074cc6eac3487469e17430b95ddd4215b40ccac7d1349af2
Instruction Fuzzy Hash: B4314773D11B2C0BDB098D6D5C11269B2C25BC4221F9E837EDDAA5F3C2DA319C0292D0

Function 020C3DA2 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ef5a02df10a37f9cd78ca65c58052d67d30c41be72dcb82a72ea05c3567aed
Instruction ID: f82b82a9384f3afd46c6b8a39d51ffd7aa571e73901461bc1ee953a9b742aa95
Opcode Fuzzy Hash: 59ef5a02df10a37f9cd78ca65c58052d67d30c41be72dcb82a72ea05c3567aed
Instruction Fuzzy Hash: 3C3148F56843144BC3215F28989437EBBE5FF86228F39817CE8DA87251E372C905E7A4

Function 020C0FD5 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: 26b2792f3955c47c3af3cce66b26a36ca1ec45d56a9e6776f6ddd7edaa060e4d
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: 725162B4E00209DFCB08CF88C590AAEF7B2FF88314F248199D815AB355D375AE81DB94

Function 020CD8CD Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87409c7ebffde4edca2967101d67f9bb46694813d42340c738a0ef65caa338cd
Instruction ID: 623b3382f9d280fb50ab56a1d4eaf9309d28231b6737a6c6b145eb173906b7c3
Opcode Fuzzy Hash: 87409c7ebffde4edca2967101d67f9bb46694813d42340c738a0ef65caa338cd
Instruction Fuzzy Hash: AE01A1767883411BE358DF64CCD27ABA7E1D7C6718F28743DE98393282C6989C41D64A

Function 020CEA5B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c932769af1db5db77f5974673d77e20fef99ae6d7361392a9d1b30d4985e46b
Instruction ID: 3c71067be2dcc84b46f98b4d2f3707b19b27b6302562d3670b3feee2cf676d7b
Opcode Fuzzy Hash: 2c932769af1db5db77f5974673d77e20fef99ae6d7361392a9d1b30d4985e46b
Instruction Fuzzy Hash: 94118C71A516400BDB2D8F25D85266BBBD3AFD6321B2CD33CC48A83B05DA3CE4128B09

Function 020FA7CE Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a8c7cce303fee665c1fc4c7e65f333f825770f7e33093f95c7b2e0d9f891a4
Instruction ID: 02b5902a50c49ff0c1bd3283a7f26a1f07af1bb94bcf66c70b9b0607cd021076
Opcode Fuzzy Hash: 43a8c7cce303fee665c1fc4c7e65f333f825770f7e33093f95c7b2e0d9f891a4
Instruction Fuzzy Hash: 46110672E106168BCB58CFA9C8411EBF7F1FF9A310B18C129C415E3254F3389542CB90

Function 020FE4FD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15fc3d2ec8f1f00cb75a4d6a970fb2d85e5a941e36995e029e79fb58121fab0a
Instruction ID: 2d9ed1c0bfac7f2fe8cd2ba58f8353b243dc2030761b3e26075169ad967c44c2
Opcode Fuzzy Hash: 15fc3d2ec8f1f00cb75a4d6a970fb2d85e5a941e36995e029e79fb58121fab0a
Instruction Fuzzy Hash: A7115979A147129BD328CF35C420576B7F1BB45300B18832DC99693750E738E951CBE1

Function 020E7915 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcc3c7ad8ce7d95c7535e39806aabba9bd5cba7ee3961789b683d3cd05209ed
Instruction ID: c26fb7b33883955f9cdc1f93d2d4f95797236f4d1046f024d958edf9a10a9ff0
Opcode Fuzzy Hash: cdcc3c7ad8ce7d95c7535e39806aabba9bd5cba7ee3961789b683d3cd05209ed
Instruction Fuzzy Hash: 8921A7B3E507118FD304CF95C88175AFBA2FB94300F59D5A8C5456F646C6B4D8858BC4

Function 020C0FD4 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: 19f78a63d646728433acc3ac7f300362986b02ceb5f60856238ed32858ee46f7
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 333195B4E00249DFCB08CF98C590AAEFBB1FF48314F248599D815AB346D375AA81DF94

Function 020F6332 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 83af92e05637f479072fdfe584016dab8c5d7d72fd4917dec46a0e55745b0a98
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 37110833A493E40EC3568D3C84805A9BFE70AD3135F5D8399F4F89B2D2C6238D8A9351

Function 020EB4E2 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f258c5d221548f275ed8b43bf51db39d56e7a72b1a17639b993a38f7acb0d70
Instruction ID: 4b2b63a56b49c0478885e14d101f38cb19fb1a62fb8f5e57d2b71276c288e7cd
Opcode Fuzzy Hash: 0f258c5d221548f275ed8b43bf51db39d56e7a72b1a17639b993a38f7acb0d70
Instruction Fuzzy Hash: 2301D4F27003414BDF31AF6494D4B3BB3E97F90718F29842DD8164B240EB76E884ABA1

Function 020E56E2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a816a1b5ed79dcc473e72af881e77224d438597b890ca7a808e8314cd72f5d69
Instruction ID: aee1ece592ef492cf971da7c67350df6f184d8e2c62229da21a66e54de9aa222
Opcode Fuzzy Hash: a816a1b5ed79dcc473e72af881e77224d438597b890ca7a808e8314cd72f5d69
Instruction Fuzzy Hash: C61151716497118B9B68CF11D81217FBAE2AA81A44FC98C6CE0C38B144D375C555D741

Function 020E2A0D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8dda23cf282c44b283b31ff4621da96a4591eeb2c7fbc2598ead98b9a9ac484
Instruction ID: 7b461e0838c0a002e96fb3986517569c87a4dceb8d38e77559b3624e32082bb4
Opcode Fuzzy Hash: b8dda23cf282c44b283b31ff4621da96a4591eeb2c7fbc2598ead98b9a9ac484
Instruction Fuzzy Hash: 8901F5B5F4A3516FD700DE25AC91A2BBAE6FBE1601F04883CE851C7242EA78D9054A19

Function 020D72C5 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e05958ab2d74afa60cd9b0c470a447c0caff7ff227d7df738881332062c68ec
Instruction ID: 2f149584fd25dd29244df5f151631b810267a70511a864a15918325823c6ac4f
Opcode Fuzzy Hash: 1e05958ab2d74afa60cd9b0c470a447c0caff7ff227d7df738881332062c68ec
Instruction Fuzzy Hash: FF0180B190D3808FD3359F24989969FBBE5EB93300F59492DC0C95A214DB358845CB83

Function 020E7192 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8ee802bd6553568b81a28d84e5a886a5cbc8b1b16f449da09c3065d48fb253
Instruction ID: 71b282cd49e61b929f4b9834eb6f1a85e10961a2710a918077df4a905d14d7a9
Opcode Fuzzy Hash: 2d8ee802bd6553568b81a28d84e5a886a5cbc8b1b16f449da09c3065d48fb253
Instruction Fuzzy Hash: 2F016DB084C3018FD719DF20944176FBBE5FB92304F509A2DE1D166152D775C60E8F8A

Function 020C0D35 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 3ad66664e4c862fb364f419baa0c948e4324d73d753edc8a40c3554d49e862c0
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: F301A474A11608EFCB55EF98C194AACB7B6FB49314F308299D8159B394C731BF41EB90

Function 020E9879 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8923d076dd0cf2bcac19f8223a60b52bd71a1bcc81ef9616cd1a3b75f77cf152
Instruction ID: 5220b0ed5be75a60229b23483b3b388a73c87f6eacdb281932e769ddcf9b4436
Opcode Fuzzy Hash: 8923d076dd0cf2bcac19f8223a60b52bd71a1bcc81ef9616cd1a3b75f77cf152
Instruction Fuzzy Hash: 06B092B1D887808B8505EF0498928BAB7799B67310F102428D4096B251EA25E951DB8F

Function 020E94E8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779789449.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20c0000_x4PaiRVIyM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62984822127642c478f5ace72fcd2fd09851256de30a3e43f83155c55e51e2a9
Instruction ID: 3a5a42d97e986663ccd2686de74347b817ca597ab40978723763a9c6611f0646
Opcode Fuzzy Hash: 62984822127642c478f5ace72fcd2fd09851256de30a3e43f83155c55e51e2a9
Instruction Fuzzy Hash: E5A00224E5C705EF8A1C8F149D905F8E679D78F251FD03828802BF7962DA10DC81D76C

Function 0040444A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167d8dd652e4a0b18676e22d1f0b694b3e2050296b10cfa44d62bde203ece273
Instruction ID: 784134393093e2e5005afeab81820b432fe556bc7fcb11ac55ef8b55b6821f6f
Opcode Fuzzy Hash: 167d8dd652e4a0b18676e22d1f0b694b3e2050296b10cfa44d62bde203ece273
Instruction Fuzzy Hash:

Function 00404482 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fdac973c3089c01465a791eacb14a84e7be514df70a27485f1914b6386e0a8
Instruction ID: 74a8d2e7032187ae17e33d6c56d987dbda54f6fc4e65b82033ec436fbdb79e3a
Opcode Fuzzy Hash: 03fdac973c3089c01465a791eacb14a84e7be514df70a27485f1914b6386e0a8
Instruction Fuzzy Hash:

Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,?,004098D0), ref: 0040704D
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,?,004098D0), ref: 004070A1

Strings

GetUserDefaultUILanguage, xrefs: 00407043
Control Panel\Desktop\ResourceLocale, xrefs: 004070B0
.DEFAULT\Control Panel\International, xrefs: 00407078
kernel32.dll, xrefs: 00407048
Locale, xrefs: 00407090

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 7527274d13757591ed95a28b65d500b4314afdc8e6aae835557058d53075206c
Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
Opcode Fuzzy Hash: 7527274d13757591ed95a28b65d500b4314afdc8e6aae835557058d53075206c
Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 121fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: File$Pointer$CreateHandleReadSizeType
String ID:
API String ID: 741532818-0
Opcode ID: 403414a86dc723bb3cef7f5a1f4ed97203eaa8ae0b3646c9adec8fd6a7129518
Instruction ID: 024604f3a216e7c6dd34324d53ddcba0102d8b0acb9e3802b94c63e6c99f6cb4
Opcode Fuzzy Hash: 403414a86dc723bb3cef7f5a1f4ed97203eaa8ae0b3646c9adec8fd6a7129518
Instruction Fuzzy Hash: D64194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0040A0F4

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB), ref: 0040966C

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040A131
SetWindowLongA.USER32(00000000,000000FC,Function_00009918), ref: 0040A148
RemoveDirectoryA.KERNEL32(00000000,0040A287,Function_00009918,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040A234
73A25CF0.USER32(00000000,0040A287,Function_00009918,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040A248

Strings

/SL5="$%x,%d,%d,, xrefs: 0040A188
STATIC, xrefs: 0040A12A
InnoSetupLdrWindow, xrefs: 0040A125

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: ErrorLastWindow$CreateDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3341979996-3001827809
Opcode ID: 1d45d037bb703eeb04ab3c0565cb9baec541f6386a3d8acef681785d9d42bc6d
Instruction ID: 62af14def8aeee2ea33bef9e9495f996c0b53bf3921735d96bebdf7865f105d0
Opcode Fuzzy Hash: 1d45d037bb703eeb04ab3c0565cb9baec541f6386a3d8acef681785d9d42bc6d
Instruction Fuzzy Hash: 88412A70A00205DFD704EBA9EE86B997BA5EB45304F10427BE510BB3E2DB789801CB5D

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4

Strings

Wow64RevertWow64FsRedirection, xrefs: 004090D4
Wow64DisableWow64FsRedirection, xrefs: 004090BA
kernel32.dll, xrefs: 004090BF, 004090D9
shell32.dll, xrefs: 00409110

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
Instruction ID: 472eec0154f0d1c01dfbc71f8259101f76790119bc09363f7f111e724705e506
Opcode Fuzzy Hash: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
Instruction Fuzzy Hash: 35015E70608342AEFB00AB729C4AB163A68E786714F60447BF5447A2D3DABD4C04CA6D

Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040A131
SetWindowLongA.USER32(00000000,000000FC,Function_00009918), ref: 0040A148

Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000), ref: 00406B94

Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,?,00409A90,00000000,00409A77), ref: 00409A14
Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,?,00409A90,00000000), ref: 00409A28
Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?), ref: 00409A53
Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,?,00409A90), ref: 00409A5C

RemoveDirectoryA.KERNEL32(00000000,0040A287,Function_00009918,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040A234
73A25CF0.USER32(00000000,0040A287,Function_00009918,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040A248

Strings

/SL5="$%x,%d,%d,, xrefs: 0040A188
STATIC, xrefs: 0040A12A
InnoSetupLdrWindow, xrefs: 0040A125

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 978128352-3001827809
Opcode ID: d074aa356e08388772205335c59cb73ac547e770bd50e989d8b46a2422503adf
Instruction ID: 1dc8ba1ebca63e4a13c0cdd659cb6d357c5997a84de4409b1b672f339ad13816
Opcode Fuzzy Hash: d074aa356e08388772205335c59cb73ac547e770bd50e989d8b46a2422503adf
Instruction Fuzzy Hash: 75411970A04205DFD714EBA9EE85B993BA5EB88304F10427FE510B73E1DB789801CB9D

Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,?,00409A90,00000000,00409A77), ref: 00409A14
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,?,00409A90,00000000), ref: 00409A28
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
GetExitCodeProcess.KERNEL32(?), ref: 00409A53
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,?,00409A90), ref: 00409A5C

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB), ref: 0040966C

Strings

D, xrefs: 004099EE

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: 1af5f0c9d387fd7b50ad22c7a7f07bddfcf613e0e4cf5b2b2f25cb1012251d12
Instruction ID: 0d26ff0b069f05ac7fc2137d7bf6f4c2b599b29ad8a4266bf43483a79dbd8d3d
Opcode Fuzzy Hash: 1af5f0c9d387fd7b50ad22c7a7f07bddfcf613e0e4cf5b2b2f25cb1012251d12
Instruction Fuzzy Hash: CB1142B17442486EDB10EBE68C52FAEB7ACEF49714F50017BB604F72C2DA785D048A69

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C), ref: 00401A09
LocalFree.KERNEL32(?,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(?,?,00000000,00008000,?,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C), ref: 00401AAE

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 968c6ade76c7b2a75fe1028d9f4e0e8289ce355ea137b2e174b443c8b7832b12
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 968c6ade76c7b2a75fe1028d9f4e0e8289ce355ea137b2e174b443c8b7832b12
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400,?,?,?,00000000,004038A0,?,?,004038FC), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,00000000,004038A0,?,?,004038FC), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 0df95bdfd3d8bd1e4bec1292c0e0917371d4f938ad398a1a9200f32258a1f234
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: 0df95bdfd3d8bd1e4bec1292c0e0917371d4f938ad398a1a9200f32258a1f234
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Runtime error at 00000000, xrefs: 00403D96, 00403DA9
Error, xrefs: 00403D91

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32 ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB

Strings

.tmp, xrefs: 00409EF1
y@, xrefs: 00409FB4

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 991f677c446ce94498c9c91b388df7e612f8d26d70e236d4543ec0d44d3a644a
Instruction ID: 9654b09d82b51144a4098a2dc8db18680232f6f81bb165c1e960a0c4f18209d5
Opcode Fuzzy Hash: 991f677c446ce94498c9c91b388df7e612f8d26d70e236d4543ec0d44d3a644a
Instruction Fuzzy Hash: 6F419F30600204DFC715EF29DE91A5A7BA6FB89304B10453AF801B73E2DB79AC01DBAD

Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB

Strings

.tmp, xrefs: 00409EF1
y@, xrefs: 00409FB4

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 57c71a79f97d8214337404349d021a78a7642e1ac0288813578a6970e4670f84
Instruction ID: 26cc71b999f7f6bdec311d51aeea5e314170344188b91b932b157060f98f8833
Opcode Fuzzy Hash: 57c71a79f97d8214337404349d021a78a7642e1ac0288813578a6970e4670f84
Instruction Fuzzy Hash: C5418030600204DFC715EF29DE91A5A7BA5FB49304B10453AF801B73E2CB79AC41DB9D

Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00406F48,?,?,004098D0,00000000), ref: 00406E4C
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,00406F48,?,?), ref: 00406EBC

Strings

)q@, xrefs: 00406F3F, 00406E98, 00406EA8, 00406F04, 00406F28, 00406F18, 00406EEF

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: QueryValue
String ID: )q@
API String ID: 3660427363-2284170586
Opcode ID: ff505ce2ca144f1e4aae5d4b556339255e799df597b2c0df569adf756f19ba98
Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
Opcode Fuzzy Hash: ff505ce2ca144f1e4aae5d4b556339255e799df597b2c0df569adf756f19ba98
Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99

Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F

Strings

.tmp, xrefs: 0040935F

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: eb5f75e9b8cc84f1b7295cfbfb3655c643ace1023327f03151b1ea358cb4b3bc
Instruction ID: 7d66a9fb3acca2a164fab1eb31a00c007328e74e7b0c548e792a27499ccb9c3a
Opcode Fuzzy Hash: eb5f75e9b8cc84f1b7295cfbfb3655c643ace1023327f03151b1ea358cb4b3bc
Instruction Fuzzy Hash: A1213574A002099BDB05FFA1C9429DFB7B9EF88304F50457BE901B73C2DA7C9E059AA5

Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@
API String ID: 2123368496-2904493091
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 004094F7
Sleep.KERNEL32(?), ref: 00409507
GetLastError.KERNEL32(?), ref: 0040951A
GetLastError.KERNEL32(?), ref: 00409524

Memory Dump Source

Source File: 00000000.00000002.1779319554.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779307886.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779333434.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779356534.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x4PaiRVIyM.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report x4PaiRVIyM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
x4PaiRVIyM.exe

Function 020C0AD5 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 020C03C5 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 399
threadCOMMON

Function 020C0985 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 247
memoryCOMMON

Function 00405C98 Relevance: 1.5, APIs: 1, Instructions: 230
memoryCOMMON

Function 00405D2E Relevance: .2, Instructions: 237
COMMON

Function 00405E85 Relevance: .2, Instructions: 160
COMMON

Function 0210EE03 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Function 0210DA55 Relevance: 2.8, APIs: 2, Instructions: 325
memoryCOMMON

Function 020F7DF2 Relevance: 74.1, Strings: 59, Instructions: 347
COMMON

Function 020F7960 Relevance: 44.1, Strings: 35, Instructions: 311
COMMON