Edit tour

Windows Analysis Report
injector V2.4.exe

Overview

General Information

Sample name:	injector V2.4.exe
Analysis ID:	1561471
MD5:	ad5bf840b79922950cbcd853a3e56134
SHA1:	5fe0ffa06bc526355af0ca520aa1750aee6499ef
SHA256:	5dc32a33db2f76834c6e96336d4bbbf276bc0b6b6cc9c02ad004607008dbe91a
Tags:	exeuser-4k95m
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

injector V2.4.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\injector V2.4.exe" MD5: AD5BF840B79922950CBCD853A3E56134)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

injector V2.4.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\injector V2.4.exe" MD5: AD5BF840B79922950CBCD853A3E56134)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["farewellnzu.icu"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.injector V2.4.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.injector V2.4.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:14:31.699501+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.44.93	443	TCP
2024-11-23T14:14:33.707357+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.44.93	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:14:32.402220+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.44.93	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:14:32.402220+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.44.93	443	TCP

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: farewellnzu.icu

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: farewellnzu.icu

Source: unknown

Source: injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/
Source: injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723364681.000000000336E000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724050465.0000000003371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/api
Source: injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/apis
Source: injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/apiw
Source: injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/sion

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.21.44.93:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_004345A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004345A0

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_004345A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004345A0

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BEF4D0	0_2_00BEF4D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF34D0	0_2_00BF34D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF15A0	0_2_00BF15A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BEF980	0_2_00BEF980
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BE86C0	0_2_00BE86C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BECE70	0_2_00BECE70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00C01FD2	0_2_00C01FD2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BED7F0	0_2_00BED7F0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00408860	2_2_00408860
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00439ED0	2_2_00439ED0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040D86B	2_2_0040D86B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042B8C8	2_2_0042B8C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042A0D0	2_2_0042A0D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042F8D5	2_2_0042F8D5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004260E0	2_2_004260E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042C8E0	2_2_0042C8E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041B8F3	2_2_0041B8F3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041B884	2_2_0041B884
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0044088C	2_2_0044088C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004050AC	2_2_004050AC
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041A0B4	2_2_0041A0B4
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00418940	2_2_00418940
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041C162	2_2_0041C162
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00432910	2_2_00432910
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0043D1D0	2_2_0043D1D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00405990	2_2_00405990
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004341A0	2_2_004341A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004049B0	2_2_004049B0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041CA4F	2_2_0041CA4F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00406A60	2_2_00406A60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0043DA00	2_2_0043DA00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00409230	2_2_00409230
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004392D0	2_2_004392D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00442290	2_2_00442290
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040AAA0	2_2_0040AAA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00426350	2_2_00426350
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00408360	2_2_00408360
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042F36A	2_2_0042F36A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00440B70	2_2_00440B70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041AB32	2_2_0041AB32
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041B33C	2_2_0041B33C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00420BD0	2_2_00420BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00421B80	2_2_00421B80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00402BA0	2_2_00402BA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00437BB2	2_2_00437BB2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042FC7B	2_2_0042FC7B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00439C00	2_2_00439C00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00423C30	2_2_00423C30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00405432	2_2_00405432
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042E48F	2_2_0042E48F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00426490	2_2_00426490
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00432495	2_2_00432495
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042E488	2_2_0042E488
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00421D60	2_2_00421D60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00407570	2_2_00407570
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00441D00	2_2_00441D00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00428D29	2_2_00428D29
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00439530	2_2_00439530
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004065C0	2_2_004065C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004425D0	2_2_004425D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004035A0	2_2_004035A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00420670	2_2_00420670
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EE1E	2_2_0042EE1E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042A6C2	2_2_0042A6C2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042D6C8	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00418ED3	2_2_00418ED3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004246E0	2_2_004246E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004196E5	2_2_004196E5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EEEB	2_2_0042EEEB
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EEFD	2_2_0042EEFD
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00409690	2_2_00409690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0043A690	2_2_0043A690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00440690	2_2_00440690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EEA3	2_2_0042EEA3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042B6AA	2_2_0042B6AA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00427EB0	2_2_00427EB0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042AEB5	2_2_0042AEB5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00404F69	2_2_00404F69
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00405F00	2_2_00405F00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042970D	2_2_0042970D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00429725	2_2_00429725
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041FFE0	2_2_0041FFE0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004297ED	2_2_004297ED
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040AFF0	2_2_0040AFF0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00441FF4	2_2_00441FF4
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040DFF1	2_2_0040DFF1
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00428780	2_2_00428780
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041EF9C	2_2_0041EF9C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00430FA0	2_2_00430FA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BEF980	2_2_00BEF980
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BEF4D0	2_2_00BEF4D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF34D0	2_2_00BF34D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF15A0	2_2_00BF15A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BE86C0	2_2_00BE86C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BECE70	2_2_00BECE70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00C01FD2	2_2_00C01FD2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BED7F0	2_2_00BED7F0

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00BF8178 appears 36 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00BF55C0 appears 66 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00408170 appears 48 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00418930 appears 54 times

Source: injector V2.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: injector V2.4.exe

Static PE information: Section: .coS ZLIB complexity 1.0003339213709677

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@1/1

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_00439ED0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00439ED0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03

Source: injector V2.4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\injector V2.4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: injector V2.4.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\injector V2.4.exe

File read: C:\Users\user\Desktop\injector V2.4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"	Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: injector V2.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: injector V2.4.exe	Static PE information: section name: .00cfg
Source: injector V2.4.exe	Static PE information: section name: .coS

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF4BC5 push ecx; ret	0_2_00BF4BD8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004158C1 push 294FAF12h; iretd	2_2_004158C6
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00432131 push eax; retf	2_2_0043213A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00436FF2 push ebx; retf	2_2_00436FF3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF4BC5 push ecx; ret	2_2_00BF4BD8

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF4CA2 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00BF4CA2

Source: C:\Users\user\Desktop\injector V2.4.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

API coverage: 7.0 %

Source: C:\Users\user\Desktop\injector V2.4.exe TID: 7512	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe TID: 7516	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BFC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00BFC7DB

Source: injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_0043F0E0 LdrInitializeThunk,

2_2_0043F0E0

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BF5444

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00C0B18D mov edi, dword ptr fs:[00000030h]	0_2_00C0B18D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BECD10 mov eax, dword ptr fs:[00000030h]	0_2_00BECD10
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BEBD50 mov edi, dword ptr fs:[00000030h]	0_2_00BEBD50
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BECD10 mov eax, dword ptr fs:[00000030h]	2_2_00BECD10
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BEBD50 mov edi, dword ptr fs:[00000030h]	2_2_00BEBD50

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF9F90 GetProcessHeap,

0_2_00BF9F90

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF5438 SetUnhandledExceptionFilter,	0_2_00BF5438
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BF5444
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BF7DCA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BF4AD9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00BF4AD9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF5438 SetUnhandledExceptionFilter,	2_2_00BF5438
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00BF5444
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00BF7DCA

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00C0B18D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00C0B18D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\injector V2.4.exe

Memory written: C:\Users\user\Desktop\injector V2.4.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF5200 cpuid

0_2_00BF5200

Source: C:\Users\user\Desktop\injector V2.4.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF58C5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00BF58C5

Source: C:\Users\user\Desktop\injector V2.4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
injector V2.4.exe	39%	ReversingLabs	Win32.Trojan.Generic
injector V2.4.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://farewellnzu.icu/apiw	0%	Avira URL Cloud	safe
https://farewellnzu.icu/apis	0%	Avira URL Cloud	safe
https://farewellnzu.icu/sion	0%	Avira URL Cloud	safe
farewellnzu.icu	0%	Avira URL Cloud	safe
https://farewellnzu.icu/	0%	Avira URL Cloud	safe
https://farewellnzu.icu/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
farewellnzu.icu	104.21.44.93	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://farewellnzu.icu/api	true	Avira URL Cloud: safe	unknown
farewellnzu.icu	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://farewellnzu.icu/apis	injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://farewellnzu.icu/	injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://farewellnzu.icu/apiw	injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://farewellnzu.icu/sion	injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.44.93	farewellnzu.icu	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561471
Start date and time:	2024-11-23 14:13:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	injector V2.4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 72% Number of executed functions: 21 Number of non-executed functions: 108
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: injector V2.4.exe

Simulations

Behavior and APIs

Time	Type	Description
08:14:31	API Interceptor	2x Sleep call for process: injector V2.4.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.44.93	loader.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
farewellnzu.icu	loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
	VMX.exe	Get hash	malicious	LummaC	Browse	172.67.198.61
	BlazeVaze.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Z8K4jt1j2H.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SecuriteInfo.com.Win32.Evo-gen.14915.21522.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.33.116
	psol.txt.ps1	Get hash	malicious	LummaC	Browse	172.66.0.235
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.67.179
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.20.178
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.44.93
	psol.txt.ps1	Get hash	malicious	LummaC	Browse	104.21.44.93
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
	file.exe	Get hash	malicious	Unknown	Browse	104.21.44.93
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.44.93
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.44.93
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.44.93
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.729383688867627
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	injector V2.4.exe
File size:	495'616 bytes
MD5:	ad5bf840b79922950cbcd853a3e56134
SHA1:	5fe0ffa06bc526355af0ca520aa1750aee6499ef
SHA256:	5dc32a33db2f76834c6e96336d4bbbf276bc0b6b6cc9c02ad004607008dbe91a
SHA512:	bb60b4d7e4df59c368d35c21dd7405c2bb22a86f2954593f6bc63deda326a9bef7e8020d63c09a178ad413bd8f459fecac817d569735ce3eb551b552bb95c2b4
SSDEEP:	12288:SJB+nneDgkXFEI3uutVNyjs86iAB4mapRngti:2AoR2vgVSs8fi4m6ai
TLSH:	19B4E06E73E3E0E7E563183101D89A714A6F7E740F24A4FF57601F692B32AC28532A57
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...t.@g............................pX............@.......................................@.................................T...<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x415870
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6740AA74 [Fri Nov 22 15:59:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	887797384d81c493a9d8ee55dad3b2e1

Entrypoint Preview

Instruction
call 00007F3E70BD2B5Ah
jmp 00007F3E70BD29BDh
mov ecx, dword ptr [0042B5F0h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F3E70BD2B56h
test esi, ecx
jne 00007F3E70BD2B78h
call 00007F3E70BD2B81h
mov ecx, eax
cmp ecx, edi
jne 00007F3E70BD2B59h
mov ecx, BB40E64Fh
jmp 00007F3E70BD2B60h
test esi, ecx
jne 00007F3E70BD2B5Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0042B5F0h], ecx
not ecx
pop edi
mov dword ptr [0042B5ECh], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
and dword ptr [ebp-0Ch], 00000000h
lea eax, dword ptr [ebp-0Ch]
and dword ptr [ebp-08h], 00000000h
push eax
call dword ptr [0042946Ch]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00429430h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042942Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [004294A8h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0042C970h
call dword ptr [00429488h]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov al, 01h
ret
push 00030000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29254	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2f000	0x1400	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x237c0	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x293c8	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2169a	0x21800	02aff72e65eaf052f891170e28598361	False	0.550606343283582	data	6.737058354414408	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x7264	0x7400	91e5fdecc510d2c4e72b1b50db3c2501	False	0.40641837284482757	data	4.769873714467996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x2068	0x1000	f9b2b4b1f63578440eedd0ace5ac94f1	False	0.484375	OpenPGP Secret Key	5.090094544660231	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x2e000	0x8	0x200	160c8b290b62e5e566d05ce3bec76423	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2f000	0x1400	0x1400	29fb367912ce622b91120c5cffd84495	False	0.81953125	data	6.557860970753822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.coS	0x31000	0x4d800	0x4d800	d6785821ea266ee62aff7f76fdbcbdd5	False	1.0003339213709677	data	7.999419286386899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile

GDI32.dll

CreateEllipticRgn

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T14:14:31.699501+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.44.93	443	TCP
2024-11-23T14:14:32.402220+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.44.93	443	TCP
2024-11-23T14:14:32.402220+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.44.93	443	TCP
2024-11-23T14:14:33.707357+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.44.93	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:14:30.373831034 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:30.373930931 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:30.374047041 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:30.382143974 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:30.382175922 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:31.699274063 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:31.699501038 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:31.717003107 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:31.717058897 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:31.717482090 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:31.769115925 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:31.774549007 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:31.774610996 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:31.774727106 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:32.402187109 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:32.402273893 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:32.402384043 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:32.406563997 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:32.406630039 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:32.406666994 CET	49730	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:32.406683922 CET	443	49730	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:32.449119091 CET	49731	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:32.449174881 CET	443	49731	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:32.449289083 CET	49731	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:32.449558020 CET	49731	443	192.168.2.4	104.21.44.93
Nov 23, 2024 14:14:32.449587107 CET	443	49731	104.21.44.93	192.168.2.4
Nov 23, 2024 14:14:33.707356930 CET	49731	443	192.168.2.4	104.21.44.93

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:14:29.741909027 CET	55137	53	192.168.2.4	1.1.1.1
Nov 23, 2024 14:14:30.353306055 CET	53	55137	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 14:14:29.741909027 CET	192.168.2.4	1.1.1.1	0x69c4	Standard query (0)	farewellnzu.icu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 14:14:30.353306055 CET	1.1.1.1	192.168.2.4	0x69c4	No error (0)	farewellnzu.icu		104.21.44.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:14:30.353306055 CET	1.1.1.1	192.168.2.4	0x69c4	No error (0)	farewellnzu.icu		172.67.198.61	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

farewellnzu.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.44.93	443	7496	C:\Users\user\Desktop\injector V2.4.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 13:14:31 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: farewellnzu.icu
2024-11-23 13:14:31 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 13:14:32 UTC	1011	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 13:14:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nj3d0d7jhegu934o4dgfhpcblp; expires=Wed, 19-Mar-2025 07:01:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z8neciCSPJd2yfvVzvfvQ0DrIhQjVoTCXnz9hBnE6B%2Fyqyf%2F7xlC4bFpUXNVerUrxpIX6stvZcA1fCoc6aJDIPRLdASrN0bYGOtwbpsQHlzouH%2B1bdjEu%2Bk7tJP75nO9mH0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e716c3dedf25e71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1753&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1629464&cwnd=238&unsent_bytes=0&cid=5054836aacffd933&ts=720&x=0"
2024-11-23 13:14:32 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-23 13:14:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:14:28
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\injector V2.4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\injector V2.4.exe"
Imagebase:	0xbe0000
File size:	495'616 bytes
MD5 hash:	AD5BF840B79922950CBCD853A3E56134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:14:28
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:14:29
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\injector V2.4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\injector V2.4.exe"
Imagebase:	0xbe0000
File size:	495'616 bytes
MD5 hash:	AD5BF840B79922950CBCD853A3E56134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0.5%
Signature Coverage:	3.7%
Total number of Nodes:	1563
Total number of Limit Nodes:	27

Executed Functions

Function 00C0B18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00C0B0FF,00C0B0EF), ref: 00C0B323
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00C0B336
Wow64GetThreadContext.KERNEL32(0000011C,00000000), ref: 00C0B354
ReadProcessMemory.KERNELBASE(00000120,?,00C0B143,00000004,00000000), ref: 00C0B378
VirtualAllocEx.KERNELBASE(00000120,?,?,00003000,00000040), ref: 00C0B3A3
WriteProcessMemory.KERNELBASE(00000120,00000000,?,?,00000000,?), ref: 00C0B3FB
WriteProcessMemory.KERNELBASE(00000120,00400000,?,?,00000000,?,00000028), ref: 00C0B446
WriteProcessMemory.KERNELBASE(00000120,?,?,00000004,00000000), ref: 00C0B484
Wow64SetThreadContext.KERNEL32(0000011C,005E0000), ref: 00C0B4C0
ResumeThread.KERNELBASE(0000011C), ref: 00C0B4CF

Strings

CreateProcessW, xrefs: 00C0B23F
ResumeThread, xrefs: 00C0B2C7
GetP, xrefs: 00C0B20D
TerminateProcess, xrefs: 00C0B3B2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00C0B322
aryA, xrefs: 00C0B1D1
ReadProcessMemory, xrefs: 00C0B278
SetThreadContext, xrefs: 00C0B2B1
Load, xrefs: 00C0B1C9
VirtualAlloc, xrefs: 00C0B252
VirtualAllocEx, xrefs: 00C0B28B
ress, xrefs: 00C0B215
GetThreadContext, xrefs: 00C0B265
WriteProcessMemory, xrefs: 00C0B29E

Memory Dump Source

Source File: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 8d4e543c5eb0d67662eba10edae79d59783eec53457160c00fdb73d98c0e21e9
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 7EB1F67660064AAFDB60CF68CC80BDA73A5FF88714F158524EA18AB341D770FE51CB94

Function 00BECD10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec8d057e21f5a34acd31744d597624369ba0d622b65525e7d55aaa66c29275d
Instruction ID: d512fc146881b070452df5903490e00b9c0b9febc137d83ab513c0128f66ac33
Opcode Fuzzy Hash: 9ec8d057e21f5a34acd31744d597624369ba0d622b65525e7d55aaa66c29275d
Instruction Fuzzy Hash: 6A011474A0421C8FCB14DF69C885BE9FBF0EB18710F0184E9A88897351EB74AA84CF85

Function 00BF9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,E0819244,?,00BF9EE2,?,?,00000000), ref: 00BF9E94

Strings

ext-ms-, xrefs: 00BF9E3E
api-ms-, xrefs: 00BF9E2A

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e17affb814c991920ba91e83641929e52070b7b8a698b84b2bd69f8900b0bacf
Instruction ID: ed0e822b1a5da0cbf6fd5f9c47287e29f14db6caee0e19ada2032e32a0482e19
Opcode Fuzzy Hash: e17affb814c991920ba91e83641929e52070b7b8a698b84b2bd69f8900b0bacf
Instruction Fuzzy Hash: 0021A831A00215ABD721DB65DC41B7E7798EF81B60B260160EE55E7295DB30ED0DC6D0

Function 00BEBEB0 Relevance: 9.2, APIs: 6, Instructions: 173
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00BEBF10

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb4fd1d2dc6e817f6408e9fb33ef367da43d719b1af631ca43abbcf0a779dc84
Instruction ID: 4d294faba41fc6ffa8bdd8516b629874675f20ef1cdc93af38bfe617282d2ae2
Opcode Fuzzy Hash: eb4fd1d2dc6e817f6408e9fb33ef367da43d719b1af631ca43abbcf0a779dc84
Instruction Fuzzy Hash: 4C7156B4904249CFCB04DFADD598AAEFFF0EB08700F1085AAE846AB351D73499459F92

Function 00BF6CE6 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00016E00,00000000,?,?), ref: 00BF6D2F
GetLastError.KERNEL32(?,00000000,00000000,?,00BF3BEA), ref: 00BF6D3B
__dosmaperr.LIBCMT ref: 00BF6D42

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: b32de6c93ba750fa5c19db56589501f48d582e3976da5c27b7c389657c3c536d
Instruction ID: 4212de34ba5c80d2fbd6c8f5813f8ce8f4e537f905a99d9af9fe861ff2e77275
Opcode Fuzzy Hash: b32de6c93ba750fa5c19db56589501f48d582e3976da5c27b7c389657c3c536d
Instruction Fuzzy Hash: FE014CBA60020DABDF15AFA0DC05ABE3BE5EF40764F1040A8BE0197160DB71DE58DB90

Function 00BF6FEF Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00BF70B1,00BF83A0,00BF83A0,?,00000002,E0819244,00BF83A0,00000002), ref: 00BF7000
TerminateProcess.KERNEL32(00000000,?,00BF70B1,00BF83A0,00BF83A0,?,00000002,E0819244,00BF83A0,00000002), ref: 00BF7007
ExitProcess.KERNEL32 ref: 00BF7019

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6fc8c638f05bb6d5918e6beafbfef27558c861dafc5656c6d5518cf52a5711f1
Instruction ID: 9e7a2fea5518daac54eaf43c59930e4678f1febaf46c648c56106d7bfc9e65e3
Opcode Fuzzy Hash: 6fc8c638f05bb6d5918e6beafbfef27558c861dafc5656c6d5518cf52a5711f1
Instruction Fuzzy Hash: 92D06C32004108ABCF112FA0EC49BAD3FAAEF44351B4580A0BA494A172CF35DD9ADB90

Function 00BFA732 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00BFA621,00C0A088,0000000C), ref: 00BFA77E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00BFA621,00C0A088,0000000C), ref: 00BFA790

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: ccc0569ba6ec20068634556babf436ecda7fe3ab197a8e551e9828ccab10ce5b
Instruction ID: 7b0187d75b600b34602da13a4760fbcb3e334b34f69b87696f3b17ba4a9956a9
Opcode Fuzzy Hash: ccc0569ba6ec20068634556babf436ecda7fe3ab197a8e551e9828ccab10ce5b
Instruction Fuzzy Hash: 141163A15047554ACB386A3E8CC8A366AE4EB56330B240799D7BA875F2C634DC4AD342

Function 00BF6E00 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00C09D20,0000000C), ref: 00BF6E13
ExitThread.KERNEL32 ref: 00BF6E1A

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: d13feaedb5c93a6a4acb5742c84934e524c036e9d3d1305c388151ada4872fcb
Instruction ID: 94f812d60ab8c104c03870d98073e65e812d91fc22aff9b66abb53c663a29db4
Opcode Fuzzy Hash: d13feaedb5c93a6a4acb5742c84934e524c036e9d3d1305c388151ada4872fcb
Instruction Fuzzy Hash: 74F0C275A40208AFDB04AFB0C84AB3E3BF5FF04700F104599F605972A2CB705909CB91

Function 00BFB0CB Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00BFBC39,?,00000000,?,?,00BFBB55,?,00000007,?,?,00BFC16E,?,?), ref: 00BFB0E1
GetLastError.KERNEL32(?,?,00BFBC39,?,00000000,?,?,00BFBB55,?,00000007,?,?,00BFC16E,?,?), ref: 00BFB0EC

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 68e139758d604169dce0dd28151b7a340bbaf265424fb9777353e7829b2a5f21
Instruction ID: de98c3661b0e0ca3f5906521f7bbe9f429d4d0360150535fe877385ae7269617
Opcode Fuzzy Hash: 68e139758d604169dce0dd28151b7a340bbaf265424fb9777353e7829b2a5f21
Instruction Fuzzy Hash: 8FE0EC3250021CABCF112BA4FD0AFAD7ADDEB84795F1100A0F70897072DB349A55CB94

Function 00BF3B60 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca7c13b1da7c12c26101ae078b12dedd62e7d4d01ea7db42871825d4728ac57
Instruction ID: 39a20a9b6691ba5fb02f7cbf5e232de78a344b999b90387056915d70e0b5a848
Opcode Fuzzy Hash: 8ca7c13b1da7c12c26101ae078b12dedd62e7d4d01ea7db42871825d4728ac57
Instruction Fuzzy Hash: 2131E2B4E043098BCB04DFA9C5946BEBBF0FF48700F1084AAE556AB341DB359A48CF55

Function 00BF9E9E Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834638682cac794105a66189f54ea4d0ed38baa821045b4747126e10c0a9731e
Instruction ID: fb9c4cb8c0cf629748e0efe8a28903165b133e43d8e7b693efe0538b20215ba5
Opcode Fuzzy Hash: 834638682cac794105a66189f54ea4d0ed38baa821045b4747126e10c0a9731e
Instruction Fuzzy Hash: B101D63360422E5BDB02CF69EC80B3A77E5FB807207294164F704D7195EB31AC08D690

Function 00BECD90 Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEllipticRgn.GDI32 ref: 00BECDF9

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: CreateElliptic
String ID:
API String ID: 1611293138-0
Opcode ID: 2bc955eec67afbdbab5f1eead6ab8c90e3c487543abd7e02904e203873ac9254
Instruction ID: 8ebec95d3e548bab1a2013391ea9f5c76049a112b79f4a7e9096f269ec007daf
Opcode Fuzzy Hash: 2bc955eec67afbdbab5f1eead6ab8c90e3c487543abd7e02904e203873ac9254
Instruction Fuzzy Hash: 5311E5B0D003099BCB04EFA9C4597AEFBF1FF48304F508969D865AB351EB74A608CB91

Function 00BFBC45 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BF41E0,?,?,00BF1007,?,00BEFAB5), ref: 00BFBC77

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 13dc80719812e49e0e57534bb847e82dc32170b75f63f24e0a31f7b8fe901b26
Instruction ID: 4f466bfe684bd0bcde88dcbe53ffd3b3a365ff0d548a3ca64ccf6dcc83ba1935
Opcode Fuzzy Hash: 13dc80719812e49e0e57534bb847e82dc32170b75f63f24e0a31f7b8fe901b26
Instruction Fuzzy Hash: FEE0ED3110062D67EA212A65DC01FBF7AC8EF823A0F0A12E1FE18970A0CF20CC08C2A0

Non-executed Functions

Function 00BF4CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00BF4CB6
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00BF4CC4
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00BF4CD5
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00BF4CE6
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00BF4CF7
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00BF4D08
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00BF4D19
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00BF4D2A
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00BF4D3B
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00BF4D4C
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00BF4D5D
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00BF4D6E
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00BF4D7F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00BF4D90
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00BF4DA1
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00BF4DB2
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00BF4DC3
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00BF4DD4
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00BF4DE5
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00BF4DF6
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00BF4E07
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00BF4E18
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00BF4E29
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00BF4E3A
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00BF4E4B
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00BF4E5C
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BF4E6D
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00BF4E7E
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BF4E8F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BF4EA0
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00BF4EB1
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00BF4EC2
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00BF4ED3
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00BF4EE4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00BF4EF5
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00BF4F06
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00BF4F17
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00BF4F28
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00BF4F39
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00BF4F4A
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00BF4F5B

Strings

CompareStringEx, xrefs: 00BF4F2E
FreeLibraryWhenCallbackReturns, xrefs: 00BF4DDA
InitializeCriticalSectionEx, xrefs: 00BF4CFD
GetCurrentProcessorNumber, xrefs: 00BF4DEB
AcquireSRWLockExclusive, xrefs: 00BF4EB7
CloseThreadpoolWait, xrefs: 00BF4DB8
ReleaseSRWLockExclusive, xrefs: 00BF4ED9
GetLocaleInfoEx, xrefs: 00BF4F3F
CreateSemaphoreExW, xrefs: 00BF4D41
InitializeConditionVariable, xrefs: 00BF4E62
SetThreadpoolWait, xrefs: 00BF4DA7
CloseThreadpoolWork, xrefs: 00BF4F1D
InitializeSRWLock, xrefs: 00BF4EA6
GetFileInformationByHandleEx, xrefs: 00BF4E2F
kernel32.dll, xrefs: 00BF4CB1
CloseThreadpoolTimer, xrefs: 00BF4D85
FlushProcessWriteBuffers, xrefs: 00BF4DC9
GetSystemTimePreciseAsFileTime, xrefs: 00BF4E51
FlsSetValue, xrefs: 00BF4CEC
GetCurrentPackageId, xrefs: 00BF4E0D
CreateThreadpoolWork, xrefs: 00BF4EFB
WakeConditionVariable, xrefs: 00BF4E73
SleepConditionVariableSRW, xrefs: 00BF4EEA
SubmitThreadpoolWork, xrefs: 00BF4F0C
CreateSymbolicLinkW, xrefs: 00BF4E01
CreateEventExW, xrefs: 00BF4D1F
GetTickCount64, xrefs: 00BF4E1E
LCMapStringEx, xrefs: 00BF4F50
CreateSemaphoreW, xrefs: 00BF4D30
SetFileInformationByHandle, xrefs: 00BF4E40
TryAcquireSRWLockExclusive, xrefs: 00BF4EC8
InitOnceExecuteOnce, xrefs: 00BF4D0E
CreateThreadpoolWait, xrefs: 00BF4D96
FlsFree, xrefs: 00BF4CCA
WakeAllConditionVariable, xrefs: 00BF4E84
SleepConditionVariableCS, xrefs: 00BF4E95
WaitForThreadpoolTimerCallbacks, xrefs: 00BF4D74
CreateThreadpoolTimer, xrefs: 00BF4D52
SetThreadpoolTimer, xrefs: 00BF4D63
FlsGetValue, xrefs: 00BF4CDB
FlsAlloc, xrefs: 00BF4CBE

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 3cfce96934d69dd3d158a8b956612afe0409a45614df97f061387e2387a46452
Instruction ID: 9959169181646adab859ff2cf698aef191d30503674ef9c0f2b1253e83465059
Opcode Fuzzy Hash: 3cfce96934d69dd3d158a8b956612afe0409a45614df97f061387e2387a46452
Instruction Fuzzy Hash: AB610471996360ABD7006FF4AC8DBCE3BE8EB197053024626B141D32E3DBB56191CF64

Function 00BECE70 Relevance: 8.0, APIs: 5, Instructions: 518threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BECF90
std::_Throw_Cpp_error.LIBCPMT ref: 00BED216

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: Cpp_errorCurrentThreadThrow_std::_
String ID:
API String ID: 350343453-0
Opcode ID: e10dea58889adbb307f00f8c1423ba566dd9f8c694ca36457ba69265073e14da
Instruction ID: 1c948039500320d31c6efdeff7c4c99ed4df542c5b2c31b566adfe9853611a77
Opcode Fuzzy Hash: e10dea58889adbb307f00f8c1423ba566dd9f8c694ca36457ba69265073e14da
Instruction Fuzzy Hash: 29F1F876E505504FEF008A7CC8A93DF6FE68B66330F2A5729DA745B7D2D627440A8F80

Function 00BFC7DB Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00BFC8CB
FindNextFileW.KERNEL32(00000000,?), ref: 00BFC9BF
FindClose.KERNEL32(00000000), ref: 00BFC9FE
FindClose.KERNEL32(00000000), ref: 00BFCA31

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 9c9d5a5017ce4b7eaff2d73c0cf39822f60ac02f52f906c55b59cb4bea691d28
Instruction ID: 2113b53c0319d18d87367f4e6aba8ac27214f56628919e0e33d4e85950505f46
Opcode Fuzzy Hash: 9c9d5a5017ce4b7eaff2d73c0cf39822f60ac02f52f906c55b59cb4bea691d28
Instruction Fuzzy Hash: 4671AD7180412D9EDF21EF288D89ABABBF9EB45300F1441D9E149A7251EB319EC99F50

Function 00BF5444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00BF5450
IsDebuggerPresent.KERNEL32 ref: 00BF551C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BF553C
UnhandledExceptionFilter.KERNEL32(?), ref: 00BF5546

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5c324abcfb6c0557592fea825455e0bff7752f1b86c1f358085741eda56bb92f
Instruction ID: 8c259d9712d3a9b6e0f1c8a8c937cca19278bab2048d5f88286bf27e47099d25
Opcode Fuzzy Hash: 5c324abcfb6c0557592fea825455e0bff7752f1b86c1f358085741eda56bb92f
Instruction Fuzzy Hash: 933106B5D0521C9BDB20DFA4D9897CDBBF8EF08304F1040EAE509AB251EB709A89CF45

Function 00BF7DCA Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00BF7EC2
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00BF7ECC
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00BF7ED9

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5ac3ed2f8e5ce7bbd3105ad4c22e384bd72ef0222a24b1d590bdd28b2a54912c
Instruction ID: 01bd7fb1cb79d8c0c9036f41e5d2598f3ab831aec72319b4bac02eb27caf6a62
Opcode Fuzzy Hash: 5ac3ed2f8e5ce7bbd3105ad4c22e384bd72ef0222a24b1d590bdd28b2a54912c
Instruction Fuzzy Hash: 6231A07494122D9BCB21DF68D889B9DBBF8BF08350F5041EAE518A7291EB709F858F44

Function 00BF15A0 Relevance: 4.4, APIs: 2, Instructions: 1444COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00BF2437

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ___std_exception_destroy
String ID:
API String ID: 4194217158-0
Opcode ID: 9fe05634b406416183ca5e2b8013cb4993e468ae684bc498c3f734f2a462277b
Instruction ID: b3e1e07e93ed7abc56a49d48c8bfaf519f92f5a3efea1c6a3dc11e340fbe76d7
Opcode Fuzzy Hash: 9fe05634b406416183ca5e2b8013cb4993e468ae684bc498c3f734f2a462277b
Instruction Fuzzy Hash: ADA26966A555844FEF024AB884B93DF6FE24B6B730F6A2755C6F06F2D3D50B000B9B60

Function 00BED7F0 Relevance: 2.6, Strings: 1, Instructions: 1327COMMONLIBRARYCODE

Download Yara Rule

Strings

-g}5, xrefs: 00BED8D2

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID: -g}5
API String ID: 0-4071012034
Opcode ID: 992c596186b112b54ea6f0d0a9143963a587a17d7b97bb58cecc4f1f6cc33eac
Instruction ID: 1859ac0d753cdc1b208b20265076d9ef4a2dc022b69258dde68629f1d9e00e4e
Opcode Fuzzy Hash: 992c596186b112b54ea6f0d0a9143963a587a17d7b97bb58cecc4f1f6cc33eac
Instruction Fuzzy Hash: 989297A6A556C45FEF024AB8D4A93DF6FF24B6B331F6E2B5586E01F2D3C507004A9B10

Function 00C01FD2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C01F2D,?,?,00000008,?,?,00C01AFF,00000000), ref: 00C021FF

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f2d78dc69a2b4f029ca228a28742bd09e17c37460be8955b2d5bff4f52011557
Instruction ID: bcb9fb1b44d8603bf4a1b5d0f7b1ff01e4b4df12def72edf5c721c2162894f8c
Opcode Fuzzy Hash: f2d78dc69a2b4f029ca228a28742bd09e17c37460be8955b2d5bff4f52011557
Instruction Fuzzy Hash: 9AB11C31510609DFDB15CF28C48AB657BE1FF45364F258658E9A9CF2E1C335DA92CB40

Function 00BF5200 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00BF5216

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: bc52dd50e5ff7167f685f946a10cbbb8675f44d93dbab87ba2b6fc13e2324905
Instruction ID: c15a14a7d467adcfe6b461057d00e1e3870c8948e809d5b1110eee6c8b3d54a5
Opcode Fuzzy Hash: bc52dd50e5ff7167f685f946a10cbbb8675f44d93dbab87ba2b6fc13e2324905
Instruction Fuzzy Hash: DC5192B1A01B098FDB28CF58D8857AEB7F0FB48710F25896AD606EB250D3B59D44CF94

Function 00BEF4D0 Relevance: 1.6, Strings: 1, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

Strings

k#fz, xrefs: 00BEF718

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID: k#fz
API String ID: 0-1948189604
Opcode ID: 0b2a69b4d4c40d31a2fd6109f71d6f0e2cd377cec7e4ba67302a6debf084dbad
Instruction ID: 9206574a8d3c9f0d82f7fd461d1b5b173c5a8eedebea2620251203705a52d03f
Opcode Fuzzy Hash: 0b2a69b4d4c40d31a2fd6109f71d6f0e2cd377cec7e4ba67302a6debf084dbad
Instruction Fuzzy Hash: A8D13072E115588FDB50CEBDC94069DB7F2AB88720F2A8369E875FB2D4D7349D418B80

Function 00BF5438 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00015560), ref: 00BF543D

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0d903d951ad8a126cd5139b01211dfbfd5e6c7b16a6ee5514ef0d37530f1da8e
Instruction ID: ccc090a2562c7eda170ec8518016d600885c5368a252f8c7acb9c73b10b56f1a
Opcode Fuzzy Hash: 0d903d951ad8a126cd5139b01211dfbfd5e6c7b16a6ee5514ef0d37530f1da8e
Instruction Fuzzy Hash:

Function 00BF9F90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00BF9F90

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 42f87be6eed9ed629b73032582528b21a63e002ac0f8f0fec8673ec0f75bed67
Instruction ID: 0335af2072e1c6cea1979b0322a4ca96af80e5d5cccd2a1d364743c9339c0789
Opcode Fuzzy Hash: 42f87be6eed9ed629b73032582528b21a63e002ac0f8f0fec8673ec0f75bed67
Instruction Fuzzy Hash: 21A00170A423018BDB408FB6AA8930E3AA9AA4569270681A9A445C5262EA349455DB01

Function 00BE86C0 Relevance: .7, Instructions: 725COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1f80e5cbc67bcc5f598989ee5053d9e528593811c439a1cce431965df739b0
Instruction ID: c18c29d1a810df270acd7b24cd54401a4f1257886ddec037d8e8c12c9d36c414
Opcode Fuzzy Hash: 2f1f80e5cbc67bcc5f598989ee5053d9e528593811c439a1cce431965df739b0
Instruction Fuzzy Hash: 4F32D276E446844FEB018ABCC4A43DF6FF24B6B334F2A2759C5A46F3D6DA17440A8B50

Function 00BF34D0 Relevance: .6, Instructions: 607COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd85424fcc23ec56f238e203d44f7d0493502fedd55892d3576965c176ec3425
Instruction ID: d2e528fa1059e7aec0b641938136f19e87c651261571a84fe903a9bdf669aff5
Opcode Fuzzy Hash: fd85424fcc23ec56f238e203d44f7d0493502fedd55892d3576965c176ec3425
Instruction Fuzzy Hash: 8D02B177A916504FEF01497CC8B83DB1BE787A7735E2A2766CAB05B2E2C55B000E9B50

Function 00BEF980 Relevance: .5, Instructions: 456COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e064e8ccb9f31a03a5cb251512e8b698ad6a8cf69a23b3f5316cb991e6a22c3
Instruction ID: 829914197b46133d80a0d409b31dbb01e2c6f7e664239eecd0db6a94ae86b18e
Opcode Fuzzy Hash: 2e064e8ccb9f31a03a5cb251512e8b698ad6a8cf69a23b3f5316cb991e6a22c3
Instruction Fuzzy Hash: 43E10972A505914FDF00897CC4A83EF2FE2876B334F2A2766D9B46F7D2D61B18099B50

Function 00BEBD50 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b433ea43dba5ef098b9610e8c1b21ad53c0e9763eee949adc3e02e1a0cfd9356
Instruction ID: 95f1e2662cfe5ef89cb92f0155985dda15d18ca2e6c0580141867d8255487e44
Opcode Fuzzy Hash: b433ea43dba5ef098b9610e8c1b21ad53c0e9763eee949adc3e02e1a0cfd9356
Instruction Fuzzy Hash: B9D06C3A645A59AFC210CF89E840E41F7A8FB89670B164066EA0893B20C331FC11CAE0

Function 00BF90D3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00BF91F2
___TypeMatch.LIBVCRUNTIME ref: 00BF9300
CatchIt.LIBVCRUNTIME ref: 00BF9351
_UnwindNestedFrames.LIBCMT ref: 00BF9452
CallUnexpected.LIBVCRUNTIME ref: 00BF946D

Strings

csm, xrefs: 00BF9229
csm, xrefs: 00BF9110
csm, xrefs: 00BF917D

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: a85b8301ec30d7f3f822fc8506420b9c817e0394937de28336c890d7d9dad64b
Instruction ID: 04117debde8519069a5227cd13b65fd4c2c80f98dd166eb16bdd7d6052d05918
Opcode Fuzzy Hash: a85b8301ec30d7f3f822fc8506420b9c817e0394937de28336c890d7d9dad64b
Instruction Fuzzy Hash: 10B1397180020DEFCF25DFA4C881ABEB7F5FF14310B1441AAEA156B256D731DA5ACB91

Function 00C00308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,00C002F3,?,?,?,?,?,?,?,?,?), ref: 00C003AE
__alloca_probe_16.LIBCMT ref: 00C00469
__alloca_probe_16.LIBCMT ref: 00C004F8
__freea.LIBCMT ref: 00C00543
__freea.LIBCMT ref: 00C00549
__freea.LIBCMT ref: 00C0057F
__freea.LIBCMT ref: 00C00585
__freea.LIBCMT ref: 00C00595

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: df2a1343e55422f3ab81f8736f2124fbd294aeb14cbbd7392ee6dd8aac61b462
Instruction ID: 144af6810fc16bcbcaebad062a710007ea130d5a5a7266b93fdb72381e8fb8c3
Opcode Fuzzy Hash: df2a1343e55422f3ab81f8736f2124fbd294aeb14cbbd7392ee6dd8aac61b462
Instruction Fuzzy Hash: E971B372A002499BDF219B94CC41FBF7BE99F49310F3A0059EA24A72D1E775DE04CB59

Function 00BF6130 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00BF6167
___except_validate_context_record.LIBVCRUNTIME ref: 00BF616F
_ValidateLocalCookies.LIBCMT ref: 00BF61F8
__IsNonwritableInCurrentImage.LIBCMT ref: 00BF6223
_ValidateLocalCookies.LIBCMT ref: 00BF6278

Strings

csm, xrefs: 00BF620D

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c3384e12945ca581c39902584b1eaf1472fde197c3f74f3c0d6b23f5d808e1c3
Instruction ID: 1eccd9d8aeabbf0634eaa684064ce48c69eb92715dd3219b36352811f5fb8041
Opcode Fuzzy Hash: c3384e12945ca581c39902584b1eaf1472fde197c3f74f3c0d6b23f5d808e1c3
Instruction Fuzzy Hash: 3A419534A0021DABCF10DF68C884BAEBBE5EF45314F1481E5EE156B392D731AE19CB91

Function 00BF883A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BF8831,00BF5F0D,00BF55A4), ref: 00BF8848
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BF8856
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BF886F
SetLastError.KERNEL32(00000000,00BF8831,00BF5F0D,00BF55A4), ref: 00BF88C1

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e992e2dce66c5861683bbe4930510dbd1608e3818488cc1b08354c74a70cf712
Instruction ID: 2a931cccd6dd1ac0e9e4b4a1c6490fbe1bfbe355e8d1dd584ee84283b2524d6b
Opcode Fuzzy Hash: e992e2dce66c5861683bbe4930510dbd1608e3818488cc1b08354c74a70cf712
Instruction Fuzzy Hash: 3A01B5321192195DEA241BB47C86B3E27D5EB127F476103A9F320470F1EF524C09A244

Function 00BFCB54 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\injector V2.4.exe, xrefs: 00BFCB70

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\injector V2.4.exe
API String ID: 0-3565623196
Opcode ID: 955882cf93f7f3e8ad3b0b092ac45e878e63eb8a9d217aa13de9b7e0ce185d33
Instruction ID: c8dd7db305483ed6bbdcbf04e1915b3659bc80e7d541be1c11e5ee5691e35877
Opcode Fuzzy Hash: 955882cf93f7f3e8ad3b0b092ac45e878e63eb8a9d217aa13de9b7e0ce185d33
Instruction Fuzzy Hash: E721F37520020DAFDB20AF65DE82E3A7BE8EF403A47104595FA29D7152DB30ECC8D790

Function 00BF6F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E0819244,?,?,00000000,00C025EB,000000FF,?,00BF7015,00000002,?,00BF70B1,00BF83A0), ref: 00BF6F89
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BF6F9B
FreeLibrary.KERNEL32(00000000,?,?,00000000,00C025EB,000000FF,?,00BF7015,00000002,?,00BF70B1,00BF83A0), ref: 00BF6FBD

Strings

CorExitProcess, xrefs: 00BF6F93
mscoree.dll, xrefs: 00BF6F82

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6a3b9cde30973e58df25852b68efc72735822e80280660b91068c36b71907a6a
Instruction ID: e515fec78754dfbfea5829818a83c376bf4c00ebc707a7ba403d3c5b705c426a
Opcode Fuzzy Hash: 6a3b9cde30973e58df25852b68efc72735822e80280660b91068c36b71907a6a
Instruction Fuzzy Hash: 1501623194462AABDB118F90DC09FAEB7B8FB04B15F050525F811A26D0DB759904CA90

Function 00BFDF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00BFDFA2
__alloca_probe_16.LIBCMT ref: 00BFE06B
__freea.LIBCMT ref: 00BFE0D2

Part of subcall function 00BFBC45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BF41E0,?,?,00BF1007,?,00BEFAB5), ref: 00BFBC77

__freea.LIBCMT ref: 00BFE0E5
__freea.LIBCMT ref: 00BFE0F2

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: fc6e2dc4b61f699bc53977c92f33cb867ae3f96ff4170eaca8eb6a66eb140f01
Instruction ID: b114c4d10f57c2b549fcc239925604a170edb09b154b50d8fc8045590f6a6c4e
Opcode Fuzzy Hash: fc6e2dc4b61f699bc53977c92f33cb867ae3f96ff4170eaca8eb6a66eb140f01
Instruction Fuzzy Hash: 1351907260024EABEB215E70CC82EBB76EAEF44710B1545B9FB25D7161EFB1CC58C660

Function 00BF94F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00BF93FE,?,?,00000000,00000000,00000000,?), ref: 00BF951D
CatchIt.LIBVCRUNTIME ref: 00BF9603

Strings

RCC, xrefs: 00BF9537
MOC, xrefs: 00BF952F

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 80d8a59b711a7d1e7ba9d213401a8ed8ee4ea404803b36b5a3ecbf54aaa7a26f
Instruction ID: 9233295e5f34a4b44bdfdf3f2e13326d48553394d5f89e71a1092b7d36d0d8f1
Opcode Fuzzy Hash: 80d8a59b711a7d1e7ba9d213401a8ed8ee4ea404803b36b5a3ecbf54aaa7a26f
Instruction Fuzzy Hash: 6A41467190020DAFDF16DF98CD81AAEBBF5FF48300F188099FA05AB221D7359954DB50

Function 00BFDC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00BFDCFA,00000000,?,00C0CCD0,?,?,?,00BFDC31,00000004,InitializeCriticalSectionEx,00C046F8,00C04700), ref: 00BFDC6B
GetLastError.KERNEL32(?,00BFDCFA,00000000,?,00C0CCD0,?,?,?,00BFDC31,00000004,InitializeCriticalSectionEx,00C046F8,00C04700,00000000,?,00BF971C), ref: 00BFDC75
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00BFDC9D

Strings

api-ms-, xrefs: 00BFDC82

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d7cd564992babcfcfdd1d69d6d40d1239493b4136ff09be19c2ecd4859f5fd4c
Instruction ID: 163ffecce80257001ea825d951d2f1a501dec059acd330de694f3c54f5a18959
Opcode Fuzzy Hash: d7cd564992babcfcfdd1d69d6d40d1239493b4136ff09be19c2ecd4859f5fd4c
Instruction Fuzzy Hash: 94E04830240209BBEF112F91DC06B6D7F95EB01B54F104070FA0DE90E1EBB29815C544

Function 00BFE5E8 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E0819244,00000000,00000000,?), ref: 00BFE64B

Part of subcall function 00BFD131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,00BF87B1,?,00000000,?), ref: 00BFD192

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BFE89D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00BFE8E3
GetLastError.KERNEL32 ref: 00BFE986

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ba4038ca34f09bbedd8d5dfe2f4256af71d4c7303181a43e3ea28ff41bcc30f2
Instruction ID: c040e13a5ea7cc5aadb04dc121bdd8ee1741d9b5b001453a82ad0eb5e71213a6
Opcode Fuzzy Hash: ba4038ca34f09bbedd8d5dfe2f4256af71d4c7303181a43e3ea28ff41bcc30f2
Instruction Fuzzy Hash: 40D15A75D0025C9FCF15CFA8C880ABDBBF5EF09314F1885AAE665EB261D630E945CB60

Function 00BF8EFC Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00BF8FC3
___AdjustPointer.LIBCMT ref: 00BF8FE6
___AdjustPointer.LIBCMT ref: 00BF9082

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f016420ed7f52fa853066586e7f354e691199a1dab64de3e6cdfa1ebe7c48fa3
Instruction ID: e343cfc444d9f41a74c62a7c2d6664d9bbc7cbf44f7c5264f811b3fbd210ad3b
Opcode Fuzzy Hash: f016420ed7f52fa853066586e7f354e691199a1dab64de3e6cdfa1ebe7c48fa3
Instruction Fuzzy Hash: F851E17260560EAFEB298F64D841BBA77E5FF40300F1445ADEB459B2A1EB31EC58C790

Function 00BFC5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00BFD131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,00BF87B1,?,00000000,?), ref: 00BFD192

GetLastError.KERNEL32 ref: 00BFC61C
__dosmaperr.LIBCMT ref: 00BFC623
GetLastError.KERNEL32(?,?,?,?), ref: 00BFC65D
__dosmaperr.LIBCMT ref: 00BFC664

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 4d22ccc8c7a3e447bea71357ffbadbd3f7bdd913f093b0b829633deb87c9b971
Instruction ID: 6ca332834d6449d38d398a87a7aa65955b4245359e5580309a9545fab2d7eaa4
Opcode Fuzzy Hash: 4d22ccc8c7a3e447bea71357ffbadbd3f7bdd913f093b0b829633deb87c9b971
Instruction Fuzzy Hash: A921A17160420EBF9B10AF65CA81D7ABBE9EF553647208598FA25D7511DB30EC88CB90

Function 00BFD22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BFD235

Part of subcall function 00BFD131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,00BF87B1,?,00000000,?), ref: 00BFD192

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BFD26D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BFD28D

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 8bc9c5b073f372933bde5fad6fda2d60ee30eb9cf7a4bac6c1d826e811b1c573
Instruction ID: 5168879ea0987e53118d710b18d15d369b3db7f23726b5bb1520c35a8282f799
Opcode Fuzzy Hash: 8bc9c5b073f372933bde5fad6fda2d60ee30eb9cf7a4bac6c1d826e811b1c573
Instruction Fuzzy Hash: E611A1B650151D7EA72127B1DC89EBF69EEDE853A47500095FB0193102FF70CE0A85B1

Function 00C007C0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00BFFF31,00000000,00000001,00000000,?,?,00BFE9DA,?,00000000,00000000), ref: 00C007D7
GetLastError.KERNEL32(?,00BFFF31,00000000,00000001,00000000,?,?,00BFE9DA,?,00000000,00000000,?,?,?,00BFE320,00000000), ref: 00C007E3

Part of subcall function 00C00840: CloseHandle.KERNEL32(FFFFFFFE,00C007F3,?,00BFFF31,00000000,00000001,00000000,?,?,00BFE9DA,?,00000000,00000000,?,?), ref: 00C00850

___initconout.LIBCMT ref: 00C007F3

Part of subcall function 00C00815: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C007B1,00BFFF1E,?,?,00BFE9DA,?,00000000,00000000,?), ref: 00C00828

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00BFFF31,00000000,00000001,00000000,?,?,00BFE9DA,?,00000000,00000000,?), ref: 00C00808

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ceccd652282d32dcf265b3515b0f2f34a0895bc1a58ba485c0419ad92deac955
Instruction ID: b31d9c7b2fe400462d77590c9afb78888f7205bc9d7bac1951edb179a5f6b1f1
Opcode Fuzzy Hash: ceccd652282d32dcf265b3515b0f2f34a0895bc1a58ba485c0419ad92deac955
Instruction Fuzzy Hash: 73F0F836000118BBCF221FD1DC08BCE3F2AFF087A1F12C521FA18851A2C6728920EB90

Function 00BF8D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00BF8D75

Strings

csm, xrefs: 00BF8E08
csm, xrefs: 00BF8D97

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 1ead65938a8827f4dd5abd66fbe1bd295556aa328bf74aa7f2332466cebe2109
Instruction ID: d254e3d8e2ea2efce9dd2f5fdd4258fe3f9863068b5f3cfe3e5fc67560883818
Opcode Fuzzy Hash: 1ead65938a8827f4dd5abd66fbe1bd295556aa328bf74aa7f2332466cebe2109
Instruction Fuzzy Hash: C231D57A51025DEFCF265F50CC449BA7BA6FF08314B1845DAFA484B121CB32DD65DB81

Function 00BF6C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00BF6C50
GetCommandLineW.KERNEL32 ref: 00BF6C5B

Strings

p%q, xrefs: 00BF6C56

Memory Dump Source

Source File: 00000000.00000002.1683369538.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000000.00000002.1683346277.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683396143.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683425370.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683449259.0000000000C0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683480935.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1683511445.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_injector V2.jbxd

Similarity

API ID: CommandLine
String ID: p%q
API String ID: 3253501508-1681989647
Opcode ID: 9cd9e79f127900618826dd7af674f0e2b482a01dc8efb0afb035fd54863a7a89
Instruction ID: 3606fdc040f0144adba0d208565fbb40a36677dba4116a07c9450afc66727ff6
Opcode Fuzzy Hash: 9cd9e79f127900618826dd7af674f0e2b482a01dc8efb0afb035fd54863a7a89
Instruction Fuzzy Hash: EDB092B88162009FCB408FB0BE8C34C3BB0F268B023828167D801C3322D7340046EF20

Analysis Process: injector V2.4.exePID: 7496, Parent PID: 7436COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.6%
Total number of Nodes:	57
Total number of Limit Nodes:	2

Executed Functions

Function 00439ED0 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 611
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00444678,00000000,00000001,00444668,00000000), ref: 00439FE8
SysAllocString.OLEAUT32(19CB1BC2), ref: 0043A07C
CoSetProxyBlanket.COMBASE(D961C41D,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043A0C8
SysAllocString.OLEAUT32(19CB1BC2), ref: 0043A122
SysAllocString.OLEAUT32(8FCB89DF), ref: 0043A1F9
VariantInit.OLEAUT32(?), ref: 0043A26A

Strings

@/, xrefs: 0043A006
\, xrefs: 00439FA2
C, xrefs: 00439F97
7=, xrefs: 0043A00E

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: 7=$@/$C$\
API String ID: 65563702-2924885527
Opcode ID: 0f263714392d0a4ae23e5820840c924c359c707d5a4b91c4ae3903ed3b795c5b
Instruction ID: d5a0c29c259e1a32e8276e6dd97f2287c07a1dd9d78eebb3971066b2803e93b0
Opcode Fuzzy Hash: 0f263714392d0a4ae23e5820840c924c359c707d5a4b91c4ae3903ed3b795c5b
Instruction Fuzzy Hash: 2622FD71A483009FD714CF24C885BABBBE5EB99314F04892EF9C59B391D778D909CB86

Function 00408860 Relevance: 7.6, APIs: 5, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408882
GetCurrentThreadId.KERNEL32 ref: 00408895
GetCurrentProcessId.KERNEL32 ref: 0040889D
GetForegroundWindow.USER32 ref: 00408948
ExitProcess.KERNEL32 ref: 004089F8

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: b5b3c11cee66c2cbbfd1a6a4c25ca12d49b11a9452b3f90016759ea1aee5e3ad
Instruction ID: 38609802ec9638e7abf543e0d996812e9b4fe1fbad5a70597291d8855ba897df
Opcode Fuzzy Hash: b5b3c11cee66c2cbbfd1a6a4c25ca12d49b11a9452b3f90016759ea1aee5e3ad
Instruction Fuzzy Hash: DA312973A5420057C31CBEB68D8A36AB5979BC5740F0E813EADC59B3E2DE794C054299

Function 0043F0E0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043CABE,?,00000010,00000005,00000000,?,00000000), ref: 0043F10E

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00409C00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(4FD949C3,00000000,9F9E9198), ref: 00409CCD

Strings

|}, xrefs: 00409C78

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: |}
API String ID: 1029625771-3974572420
Opcode ID: 9c2c4e44cc5755c0c79f1d51622012563fdd5faa978f2785b8fed6db492b3294
Instruction ID: ee563ac326da79e97449b4ad50cf1224805225ad9247b781cccfded4f2284b05
Opcode Fuzzy Hash: 9c2c4e44cc5755c0c79f1d51622012563fdd5faa978f2785b8fed6db492b3294
Instruction Fuzzy Hash: 78213871A583805FE314CF25DC8269B7BE5EFD6308F15992DE4C04B252D238880A8B9A

Function 0043C840 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043C863

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1bbc621af1640a7833919c02c3ba92b086ce1b663d35ab757895467e9302c407
Instruction ID: 5e40faf57c8486db04755465fb3ba729797a28adf6e6dec8712b78a7a4e83a77
Opcode Fuzzy Hash: 1bbc621af1640a7833919c02c3ba92b086ce1b663d35ab757895467e9302c407
Instruction Fuzzy Hash: 1011E932A1D2508BD304FB38ECA472BBEE39FD9745F19887CD4C55769ACA344816C792

Function 0040C953 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C965

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 02f052d0914b17852d785bc8f3d0d0ca03705a452a64f08df0e1a9a55459a844
Instruction ID: 17037039fe0080687f2b20cf83abebd8ac9a797141f3a2f09e18c41f8f8d9f2d
Opcode Fuzzy Hash: 02f052d0914b17852d785bc8f3d0d0ca03705a452a64f08df0e1a9a55459a844
Instruction Fuzzy Hash: 54D092343C9281B6E2658B08BC17F5432559302B25F340224B362EE2E1CAE06502861C

Function 0040C920 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C933

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 07188750f600f2565309d338c35a24a25c5b9c0ffcac3cf3e39c8770b02afbd5
Instruction ID: 867e132dc9613676cf91520546d2662a93ec63a975d7f075b3e6a40ec28964c2
Opcode Fuzzy Hash: 07188750f600f2565309d338c35a24a25c5b9c0ffcac3cf3e39c8770b02afbd5
Instruction Fuzzy Hash: 43D0A7346942446BD204676DEC07F26366CC383765F41023AF7B2CA1D5D9506814C57A

Function 0040CDF4 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040CDF4

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: ac87bd0cffbe08ec30df263ee4622e98cb063a29247af99bc430dd62dc213e0f
Instruction ID: 62eb9ca69c4cce3cc35e40113c052ef81563ad4e7398347ae0f25a222e90937b
Opcode Fuzzy Hash: ac87bd0cffbe08ec30df263ee4622e98cb063a29247af99bc430dd62dc213e0f
Instruction Fuzzy Hash: 33B0127BF000048A4B4007A4BC040CDF3A0EAC81367010173E219C1000D63101244680

Non-executed Functions

Function 004260E0 Relevance: 27.2, Strings: 21, Instructions: 937COMMON

Download Yara Rule

Strings

\_, xrefs: 004270B8
s3b5, xrefs: 00426E16
J=B?, xrefs: 004267E1
$D, xrefs: 004271CB
c#t%, xrefs: 00426E42
~+V-, xrefs: 00426E58
Y_, xrefs: 0042660A
tv, xrefs: 004260F2
8K>M, xrefs: 00427081
V)G+, xrefs: 00426818
~?l!, xrefs: 00426E37
tw, xrefs: 00427264
=I'K, xrefs: 00426870
uw, xrefs: 0042687B
\9y;, xrefs: 004267EC
$D, xrefs: 00427194
d7e9, xrefs: 00426E21
,-, xrefs: 00426166
'Y3[, xrefs: 00426844
{8}, xrefs: 00427055
]S, xrefs: 00426615

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: {8}$'Y3[$,-$8K>M$=I'K$J=B?$V)G+$\9y;$\_$c#t%$d7e9$s3b5$tw$tv$~+V-$~?l!$$D$$D$Y_$]S$uw
API String ID: 0-1499059824
Opcode ID: 3e94db4c68999047ead082d98596307fc2607beab64db6c87a0656d6d1d281dd
Instruction ID: fa23e3c4229f11b91a1b4ed3803b3709b6e7be3fa6d3c57fa13885397f710596
Opcode Fuzzy Hash: 3e94db4c68999047ead082d98596307fc2607beab64db6c87a0656d6d1d281dd
Instruction Fuzzy Hash: 75923FB55083818BE374CF25D881B9FBBE1FB92304F10892DE5D99B251DB74844ACF96

Function 00426350 Relevance: 25.8, Strings: 20, Instructions: 848COMMON

Download Yara Rule

Strings

\_, xrefs: 004270B8
s3b5, xrefs: 00426E16
J=B?, xrefs: 004267E1
$D, xrefs: 004271CB
c#t%, xrefs: 00426E42
~+V-, xrefs: 00426E58
Y_, xrefs: 0042660A
8K>M, xrefs: 00427081
V)G+, xrefs: 00426818
~?l!, xrefs: 00426E37
tw, xrefs: 00427264
=I'K, xrefs: 00426870
uw, xrefs: 0042687B
\9y;, xrefs: 004267EC
$D, xrefs: 00427194
3g/e, xrefs: 00426369
d7e9, xrefs: 00426E21
'Y3[, xrefs: 00426844
{8}, xrefs: 00427055
]S, xrefs: 00426615

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: {8}$'Y3[$3g/e$8K>M$=I'K$J=B?$V)G+$\9y;$\_$c#t%$d7e9$s3b5$tw$~+V-$~?l!$$D$$D$Y_$]S$uw
API String ID: 0-2018035003
Opcode ID: 177426f021ed510beda516584e3005d9aae20286c0f49ddf4c36087abb7391b7
Instruction ID: 21b91e870ef273964388e64adf1401a5cea9b3c375b4d543e388e74a20e8728d
Opcode Fuzzy Hash: 177426f021ed510beda516584e3005d9aae20286c0f49ddf4c36087abb7391b7
Instruction Fuzzy Hash: EF822FB450C3858BE374CF259881B9FBBE1FB92304F10892DE6D99B291DB748446CF96

Function 00426490 Relevance: 24.6, Strings: 19, Instructions: 811COMMON

Download Yara Rule

Strings

\_, xrefs: 004270B8
s3b5, xrefs: 00426E16
J=B?, xrefs: 004267E1
$D, xrefs: 004271CB
c#t%, xrefs: 00426E42
~+V-, xrefs: 00426E58
Y_, xrefs: 0042660A
8K>M, xrefs: 00427081
V)G+, xrefs: 00426818
~?l!, xrefs: 00426E37
tw, xrefs: 00427264
=I'K, xrefs: 00426870
uw, xrefs: 0042687B
\9y;, xrefs: 004267EC
$D, xrefs: 00427194
d7e9, xrefs: 00426E21
'Y3[, xrefs: 00426844
{8}, xrefs: 00427055
]S, xrefs: 00426615

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: {8}$'Y3[$8K>M$=I'K$J=B?$V)G+$\9y;$\_$c#t%$d7e9$s3b5$tw$~+V-$~?l!$$D$$D$Y_$]S$uw
API String ID: 0-2887820757
Opcode ID: eebd186f59665f0f18c4559dc3da0ea2f22ed8ae9068dcc71fb74658b99a998b
Instruction ID: bf3007f120a47b887b0caa45068d5f98b9e8554b1bac20d59d32eb417c9351a9
Opcode Fuzzy Hash: eebd186f59665f0f18c4559dc3da0ea2f22ed8ae9068dcc71fb74658b99a998b
Instruction Fuzzy Hash: AA722EB450C3858BE374CF25E881B9FBBE1BB92304F10892DD6D99B251DB74844ACF96

Function 00420BD0 Relevance: 9.7, Strings: 7, Instructions: 944COMMON

Download Yara Rule

Strings

pXwd, xrefs: 00420F3A
thww, xrefs: 00420ED2
}rui, xrefs: 00420EFC
ayii, xrefs: 00420EE0
]|Br, xrefs: 00420F18
w^ux, xrefs: 00420F1F
mLPN, xrefs: 00420F8A

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: ]|Br$ayii$mLPN$pXwd$thww$w^ux$}rui
API String ID: 0-2504981935
Opcode ID: 889e716d40096aaecde243c2a454cf5233b91111803de3f675add881d20cf340
Instruction ID: 3c97eae8aefa8e27b87151d4bf380f8b49915dc83106cb58188050deaac04f6e
Opcode Fuzzy Hash: 889e716d40096aaecde243c2a454cf5233b91111803de3f675add881d20cf340
Instruction Fuzzy Hash: 5A620770604B918FC335CF29D490627BBE1AF56314B588A6ED4E78BBA2C739F805CB54

Function 004345A0 Relevance: 9.1, APIs: 6, Instructions: 129clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004345C2
GetWindowLongW.USER32 ref: 004345ED
GetClipboardData.USER32 ref: 004345FD
CloseClipboard.USER32 ref: 00434727

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: 7e4e37f140669f977603b74b23cf749ebb87053aea8d50c1a81d1f40b1301d2c
Instruction ID: 0d4e149cca78cf6f9eee8ceca06891f89d6322af88ace38695ace5059f1588b6
Opcode Fuzzy Hash: 7e4e37f140669f977603b74b23cf749ebb87053aea8d50c1a81d1f40b1301d2c
Instruction Fuzzy Hash: 8641C4B0808B829FC711AF78954A39EBFB0AB57320F04872AE4E5877D1D338A555C797

Function 0042E48F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 471COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042E557

Strings

)$/q, xrefs: 0042E6B6
+62), xrefs: 0042E6AC
J(Z6, xrefs: 0042EA87

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: )$/q$+62)$J(Z6
API String ID: 3664257935-4159706543
Opcode ID: 17f4e57675b26713ae51105fcacb17f87b2ba79888cee4bddb9facb3eace5004
Instruction ID: 613bba6bb6791fb587cc5a4212e09141da63c1a358e4bd092013dc2a48d53bfe
Opcode Fuzzy Hash: 17f4e57675b26713ae51105fcacb17f87b2ba79888cee4bddb9facb3eace5004
Instruction Fuzzy Hash: 8CE1E760604B908EE7358F36D4507B3BBE2EF57304F48899ED0EB8B282D7796509CB16

Function 00423250 Relevance: 6.7, Strings: 5, Instructions: 459COMMON

Download Yara Rule

Strings

W7B, xrefs: 00423751
7>, xrefs: 004232F1
xv, xrefs: 004232E1
/B, xrefs: 004232E9
M}, xrefs: 00423403

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: /B$7>$M}$W7B$xv
API String ID: 0-4225845962
Opcode ID: e2a42451265eba153bbbc614b1ca212c5aba3cca3bed044330c2e25fd296c86d
Instruction ID: be21647d591b549922de6916a2c2322c58110783150dd4c484af43a3fcc5f636
Opcode Fuzzy Hash: e2a42451265eba153bbbc614b1ca212c5aba3cca3bed044330c2e25fd296c86d
Instruction Fuzzy Hash: 29C102B06083208BD720CF24D85276BBBF1EF92355F488A5DE4D58B3A0E77D8945CB96

Function 0041F310 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

u|, xrefs: 0041F4F1
g, xrefs: 0041F4EE, 0041F445, 0041F3E2, 0041F355
g, xrefs: 0041F545
u|, xrefs: 0041F510
ez, xrefs: 0041F509

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: ez$g$g$u|$u|
API String ID: 0-2442041542
Opcode ID: 9649ca8dcca0c085fdb6c0163b554bb795b5f2d171d3c43e8d74c9b8816096d8
Instruction ID: f42df2e33762c44fbc3116b00022e3969742704b29768d33b50a91e08b63c4c6
Opcode Fuzzy Hash: 9649ca8dcca0c085fdb6c0163b554bb795b5f2d171d3c43e8d74c9b8816096d8
Instruction Fuzzy Hash: DA51EEB0900782ABDB118F65D8115AAFFB0FF12314B08DA9DD4A55F782D338D286CBD5

Function 00BF5444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00BF5450
IsDebuggerPresent.KERNEL32 ref: 00BF551C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BF553C
UnhandledExceptionFilter.KERNEL32(?), ref: 00BF5546

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 9347fb2c121ea00e86b90ae09f3deb2d69f33991cc50e995c5b12d8073b267bd
Instruction ID: 8c259d9712d3a9b6e0f1c8a8c937cca19278bab2048d5f88286bf27e47099d25
Opcode Fuzzy Hash: 9347fb2c121ea00e86b90ae09f3deb2d69f33991cc50e995c5b12d8073b267bd
Instruction Fuzzy Hash: 933106B5D0521C9BDB20DFA4D9897CDBBF8EF08304F1040EAE509AB251EB709A89CF45

Function 0042F36A Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042F6C1

Strings

mmgl, xrefs: 0042F5B0
UZR_, xrefs: 0042F592

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: UZR_$mmgl
API String ID: 3664257935-2147652447
Opcode ID: 49c8ca7a8128b54bd78bbaf68ec3e5cc65ef4d3ff37dc0da50fddc95bc0892db
Instruction ID: e5fae8dcc2536c3fd0e8b9b2009143f83d911ee360eacffccef646e910612d2f
Opcode Fuzzy Hash: 49c8ca7a8128b54bd78bbaf68ec3e5cc65ef4d3ff37dc0da50fddc95bc0892db
Instruction Fuzzy Hash: 0EB1D171644B418FD7208F29D8417A3FBF2EFA6310F584A3ED4DA87782D678A40AC765

Function 0040AFF0 Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

0e-g, xrefs: 0040B162
!q"s, xrefs: 0040B130
#iJk, xrefs: 0040B144
*u&w, xrefs: 0040B13A

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: !q"s$#iJk$*u&w$0e-g
API String ID: 0-3825726463
Opcode ID: 063aa44fe663828cd3be5995ac30fc1014d72b9d70025b9579371896ea56aff2
Instruction ID: 39b071ea5c26da278d84c28b81b91cc99f89a02010e9bd14c5178b274d85f022
Opcode Fuzzy Hash: 063aa44fe663828cd3be5995ac30fc1014d72b9d70025b9579371896ea56aff2
Instruction Fuzzy Hash: 8C1289B6610B408FD324CF29D882797BBF2FB4A314F19892DD5AA8B790DB75A405CF44

Function 0042970D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 259fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,?,00000000), ref: 004297BA

Strings

01, xrefs: 00429785
*, xrefs: 00429717

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID: *$01
API String ID: 1304948518-1595361459
Opcode ID: 3839394131c99c92ede5cf8cfe9117bf2bbaa5735410f1e4516348a27d927cdd
Instruction ID: 2687bf40e21af332c1244c0acfece92030006778c44a984ff4c4c31516861d38
Opcode Fuzzy Hash: 3839394131c99c92ede5cf8cfe9117bf2bbaa5735410f1e4516348a27d927cdd
Instruction Fuzzy Hash: 7A81F1B4908310DFE7209F24EC4571BBBE0FB9A314F15096DE5819B3A2DB79C901CB8A

Function 00429725 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,?,00000000), ref: 004297BA

Strings

01, xrefs: 00429785
*, xrefs: 00429727

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID: *$01
API String ID: 1304948518-1595361459
Opcode ID: c2d77798c841f58f0617e1500696cceae3a8cacb2c2f3dcbd3aac9156cdeb993
Instruction ID: f80564b1e8882b1b3399c6aa8384959b94128c1625440a6915e05db285fee732
Opcode Fuzzy Hash: c2d77798c841f58f0617e1500696cceae3a8cacb2c2f3dcbd3aac9156cdeb993
Instruction Fuzzy Hash: 4181F1B4909310CFE3209F24E85571BBBE0FB9A314F150A6DE5819B3A2D778C905CBCA

Function 00409690 Relevance: 5.4, Strings: 4, Instructions: 401COMMON

Download Yara Rule

Strings

8, xrefs: 00409925
1{y, xrefs: 00409A87
1{y, xrefs: 00409B20, 00409890, 00409904
D5A15FEE744B098FE80AB11F1DC389C4, xrefs: 00409754

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: 1{y$1{y$8$D5A15FEE744B098FE80AB11F1DC389C4
API String ID: 0-4232453213
Opcode ID: 8e1564da2f1e8898d4702dce036ab093fa00794b5165fd9abdda6024fb1f69ea
Instruction ID: 328215aa0fa1069e570cd083eabd5e44d6f4191b900f539c337c62f0a2ecc92d
Opcode Fuzzy Hash: 8e1564da2f1e8898d4702dce036ab093fa00794b5165fd9abdda6024fb1f69ea
Instruction Fuzzy Hash: 6FD103726087808BD314CF25C8517ABBBE2EFD1314F18892DE5D55B391DB39C90ACB96

Function 0042A6C2 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

|u, xrefs: 0042AA38
`M, xrefs: 0042AA31
`M, xrefs: 0042AF79

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: `M$`M$|u
API String ID: 0-1188342812
Opcode ID: 2852c23a36161a4f1b1eaf4faf959968801b1aaaa08ca9db2789765810634fbe
Instruction ID: d799d5b25926e93ba5308d3024e46dc2acc46903e2558ca59f5c5628da68bad4
Opcode Fuzzy Hash: 2852c23a36161a4f1b1eaf4faf959968801b1aaaa08ca9db2789765810634fbe
Instruction Fuzzy Hash: 12D10172A00224CFCB28CF58D8912AFB7B1FF95314F59856DD896AB391D7789C06CB84

Function 0042DB30 Relevance: 4.0, Strings: 3, Instructions: 202COMMON

Download Yara Rule

Strings

AVQI, xrefs: 0042DBAB
brpz, xrefs: 0042DCA2
F?uq, xrefs: 0042DCAC

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: AVQI$F?uq$brpz
API String ID: 0-179364957
Opcode ID: 35d7aa7664c9a2a3d54bf6018f39e6de8a4e66c68bf579ae3f5f4abdf4385278
Instruction ID: c770fcffc7702ecb95787f86c941b70990351417063974a8ebde8662e1834aeb
Opcode Fuzzy Hash: 35d7aa7664c9a2a3d54bf6018f39e6de8a4e66c68bf579ae3f5f4abdf4385278
Instruction Fuzzy Hash: 525179A06057908AE7368B3580903A3BFE2AF97344F98849DD5E64B347C77C600ACB1D

Function 004246E0 Relevance: 2.9, Strings: 2, Instructions: 439COMMON

Download Yara Rule

Strings

{=m#, xrefs: 00424703
!, xrefs: 0042470B

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: !${=m#
API String ID: 0-1222216819
Opcode ID: 02ddbdb50afdfb2527dbe6440ef15360bce43cbbd3943299b62139735f225ebd
Instruction ID: 01da73c5ea8a73a56643ad8f52f3195e4805e22af5838982e63d1d709889a110
Opcode Fuzzy Hash: 02ddbdb50afdfb2527dbe6440ef15360bce43cbbd3943299b62139735f225ebd
Instruction Fuzzy Hash: 96B13872B043608BC7149F24E84267BB3A1EFD2354F49992DE8D69B381E378DD05C75A

Function 0042F8D5 Relevance: 2.8, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

]cRl, xrefs: 0042FB49
o|Nx, xrefs: 0042FA56

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: ]cRl$o|Nx
API String ID: 0-3402057288
Opcode ID: f14fe5a8b1c6d4b6dc307f948cac7a9d06c178a5a7621f6e203cd0564b7ead4e
Instruction ID: 43c32c2568ee40f2486ef7298d93177b9e1571491ce58580fafb78f359e5b39f
Opcode Fuzzy Hash: f14fe5a8b1c6d4b6dc307f948cac7a9d06c178a5a7621f6e203cd0564b7ead4e
Instruction Fuzzy Hash: 85A1D571608B918FD729CF3990607A3BBE1AF57304F4849AEC0DB8B782D779A409CB55

Function 0042FC7B Relevance: 2.8, Strings: 2, Instructions: 320COMMON

Download Yara Rule

Strings

]cRl, xrefs: 0042FF79
o|Nx, xrefs: 0042FE06

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: ]cRl$o|Nx
API String ID: 0-3402057288
Opcode ID: 486233e3ce3addebd3dbf1b925ce74d5a472a6d2530fe5135904b5979c0450f1
Instruction ID: 1aba2f20077ac3bc3f7f1fd49d840795e168dac44f7044e356d6df62a5fbc1af
Opcode Fuzzy Hash: 486233e3ce3addebd3dbf1b925ce74d5a472a6d2530fe5135904b5979c0450f1
Instruction Fuzzy Hash: 45A1C470608B918FD7368F3994607A3BBE1AF57304F8849AEC0D78B782D779A409CB55

Function 0042EE1E Relevance: 2.8, Strings: 2, Instructions: 320COMMON

Download Yara Rule

Strings

DEyv, xrefs: 0042F002
1M7, xrefs: 0042F1A5

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: DEyv$1M7
API String ID: 0-974543942
Opcode ID: 21e3ebc7f67b20543e43b90e13b470a568c3228fb7fccb3f13ca4876081e3eb1
Instruction ID: 6d7c6c225e4e8ca6c39d7c6f6eeb522119979a99aae92f1c221b7c27903892df
Opcode Fuzzy Hash: 21e3ebc7f67b20543e43b90e13b470a568c3228fb7fccb3f13ca4876081e3eb1
Instruction Fuzzy Hash: 30A1D470204B818FE329CF3994617B3BBE1AF56304F58896ED0E787782C778A409CB65

Function 0042EEFD Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

DEyv, xrefs: 0042F002
1M7, xrefs: 0042F1A5

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: DEyv$1M7
API String ID: 0-974543942
Opcode ID: 23a642b4a0cfbf835027da14f1dcf81f2dc1e090233ea97a6141c660c45c2bb7
Instruction ID: 65194e844e25716609be8539ac940f3b33c98400920e21b66eb35b4b25f4f5e4
Opcode Fuzzy Hash: 23a642b4a0cfbf835027da14f1dcf81f2dc1e090233ea97a6141c660c45c2bb7
Instruction Fuzzy Hash: C3A1E770204B81CFE325CF3694617B3BBE1AF56304F58896ED0E78B681C779A509CB55

Function 0042EEA3 Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

DEyv, xrefs: 0042F002
1M7, xrefs: 0042F1A5

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: DEyv$1M7
API String ID: 0-974543942
Opcode ID: 705338d539cefee7bb63f66432b989afad0ba3d2693a99c69532c1a74fc82160
Instruction ID: 286a8169c9f1bd2375b033ba8f22ead4a3417bdbc0e8203d178d822a0b2e946b
Opcode Fuzzy Hash: 705338d539cefee7bb63f66432b989afad0ba3d2693a99c69532c1a74fc82160
Instruction Fuzzy Hash: E8A1E870204B818FE329CF3694617B3BBE1AF56304F58896ED0E78B782C779A509CB55

Function 0042EEEB Relevance: 2.8, Strings: 2, Instructions: 293COMMON

Download Yara Rule

Strings

DEyv, xrefs: 0042F002
1M7, xrefs: 0042F1A5

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: DEyv$1M7
API String ID: 0-974543942
Opcode ID: 440e8aa7ce5c76b3af1138e83a7bdf6585b21cec930d61d291b1b0c9d1952ae9
Instruction ID: 90d10554526d5a902fe692f5f611752055279c2b1f00c1765f9144f61397a518
Opcode Fuzzy Hash: 440e8aa7ce5c76b3af1138e83a7bdf6585b21cec930d61d291b1b0c9d1952ae9
Instruction Fuzzy Hash: 6B91D571204B818FE325CF3594617B3FBE2AF56304F58896ED0E78B682D7786409CB65

Function 0042B6AA Relevance: 2.8, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

!^s, xrefs: 0042B46F
!^s, xrefs: 0042B5A7

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: !^s$!^s
API String ID: 0-1509702727
Opcode ID: 0855311743f9d58000494e1686417387884aa91d8ebcf861f0406205810e6937
Instruction ID: d6ccac3acef408c95a928b3b13e6fcc81f2aec4c555226410057f008e26590c3
Opcode Fuzzy Hash: 0855311743f9d58000494e1686417387884aa91d8ebcf861f0406205810e6937
Instruction Fuzzy Hash: CB911576D402288FDB14DFA8DC4179EBB71EB89300F59826ED956AB384DB704906CFC1

Function 0042AB59 Relevance: 2.7, Strings: 2, Instructions: 223COMMON

Download Yara Rule

Strings

|u, xrefs: 0042AA38
`M, xrefs: 0042AA31

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: `M$|u
API String ID: 0-2506316158
Opcode ID: 65676c5e736bc7caa40f5edfcc30b4edd4911a3b7442b9226b9532a3c7d18c25
Instruction ID: 27696b2f2a36ce2c346417cc07df52d1964c8c6ab06e62e9e20e05c0147a719c
Opcode Fuzzy Hash: 65676c5e736bc7caa40f5edfcc30b4edd4911a3b7442b9226b9532a3c7d18c25
Instruction Fuzzy Hash: BF515774A00224CFCB248F64D8527AB73B1FF5A314F5845AEE8869B391D7389D51CB4A

Function 0042A970 Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

|u, xrefs: 0042AA38
`M, xrefs: 0042AA31

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: `M$|u
API String ID: 0-2506316158
Opcode ID: ef36727d681ace58a1f35c254ece797d6ad1f78feaf4b19aaa0a95c35ff93dcd
Instruction ID: 81aee74977f4a44c7a2b155c6befc1b2c4a936374a8b946432391d39517fdf7e
Opcode Fuzzy Hash: ef36727d681ace58a1f35c254ece797d6ad1f78feaf4b19aaa0a95c35ff93dcd
Instruction Fuzzy Hash: 6A514674A00224CFCB248F64D8527BB73B1FF5A314F5845AEE8869B390D7389D55CB4A

Function 0043D1D0 Relevance: 2.0, Strings: 1, Instructions: 704COMMON

Download Yara Rule

Strings

f, xrefs: 0043D485

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 78c54fed66e52cc16474271154662faab90874e600bf28a2c18fafde249613f0
Instruction ID: fc19af9f6703e064672979042d610236fb6736d40898b1e7d76426b2a09a5382
Opcode Fuzzy Hash: 78c54fed66e52cc16474271154662faab90874e600bf28a2c18fafde249613f0
Instruction Fuzzy Hash: B422F275A087418FD314CF28D88072BB7E2AFD9314F289A2EE4D487395D778DC058B9A

Function 00424480 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00444598,00000000,00000001,00444588), ref: 004244A9

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 0917f6f831bbc3d282f09f486e3f6490d8e44fafbbaca4a61e19fc973f9eff23
Instruction ID: 39cfb2014bb13bb4c6d1f98dfc79d5b5d9d15d86e78051930c850d045149f2e0
Opcode Fuzzy Hash: 0917f6f831bbc3d282f09f486e3f6490d8e44fafbbaca4a61e19fc973f9eff23
Instruction Fuzzy Hash: 3C51CEB1700224ABDB209B24EC86B7733B4EFC6758F454519FA868B390E778D941C76A

Function 0042D120 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

<, xrefs: 0042D308

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: <
API String ID: 0-3349210249
Opcode ID: d68fa836ececed2d7360bcff5c22cbb87ccfcfb000788510a61f5f539fdc6f0d
Instruction ID: bd5f7c50a6d52165a442f2da5d36c76c6665ae12408ba2b363541ac151782bed
Opcode Fuzzy Hash: d68fa836ececed2d7360bcff5c22cbb87ccfcfb000788510a61f5f539fdc6f0d
Instruction Fuzzy Hash: 9681E0B4608B908AD335CF39D4917A3BBE1AF17304F489A5DC4EB8B346D7796009CB5A

Function 0041EBFA Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

t, xrefs: 0041EDC8

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: f34d60bd9eaa8756c9d35bb85fa109a9874acee7395126e4154d3dfbeb186e8c
Instruction ID: f84986c1877dd769d0571347b3df2866f659b48592f649ee9e009c28432b91a7
Opcode Fuzzy Hash: f34d60bd9eaa8756c9d35bb85fa109a9874acee7395126e4154d3dfbeb186e8c
Instruction Fuzzy Hash: E15104366083819BE714DE29C8916AFBBD39BD2324F18996DF4D2873A5CA7C94068706

Function 00428C20 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

de, xrefs: 0042956F

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: de
API String ID: 0-2106599819
Opcode ID: fdc693add951b788f54284373df7a95343ce0eccfea668fd936c2f044d2014ef
Instruction ID: 161368f526a2418c400529b9c95cd11082ea27134b281e00ee27df9ef326d9ec
Opcode Fuzzy Hash: fdc693add951b788f54284373df7a95343ce0eccfea668fd936c2f044d2014ef
Instruction Fuzzy Hash: 354180716093808BD7209F15A49039FFBE1EBD2354F548A2CE0D45B391C7798506CB87

Function 0041E902 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

(, xrefs: 0041E90E

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 45b6af1c1c88694c75e9463736a0ec9286c7680b6a48628af435e16104e592bc
Instruction ID: e48893f312f574fa26a4608475eea7866d0781d1050191353c4b67508b22117f
Opcode Fuzzy Hash: 45b6af1c1c88694c75e9463736a0ec9286c7680b6a48628af435e16104e592bc
Instruction Fuzzy Hash: 561127796583808ED7008F6AC8D03AAFBE1EBC5314F04A82EF4C087391D639C845C713

Function 00440690 Relevance: .9, Instructions: 859COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a28ccdbd8f57df4934bc20e3accb1b866645c1a6ee976e24ea7c7b4328455be
Instruction ID: 29f6c7fba77f9f8022bc2f98919c5ab4b8fe0ac06d4f5baa38dd57abf06b573b
Opcode Fuzzy Hash: 1a28ccdbd8f57df4934bc20e3accb1b866645c1a6ee976e24ea7c7b4328455be
Instruction Fuzzy Hash: E642FF35608351CFD708CF28E89062AB7E2FBCA314F1A897ED58987361D735E855CB86

Function 00407570 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f235d076280b6f84856082233917347bb31947d9354f4fc03bb122d9cb1c5a6a
Instruction ID: 02aa1fd579c789f46a77e9a3870bdc6632df97e6d66f7328ddabe8e30b0aa058
Opcode Fuzzy Hash: f235d076280b6f84856082233917347bb31947d9354f4fc03bb122d9cb1c5a6a
Instruction Fuzzy Hash: 4242C1319087118BC7259F28D88066BB3E1FFD4315F158A3ED996A72C1E739B851CB8B

Function 0044088C Relevance: .7, Instructions: 712COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a56d5baf577c44d57f3e20dcbf7647f45bdeec86cfad76d7d1914cead2d813d
Instruction ID: e6b056fdb22ffde708f586c0c9c75c67ae34fb137e06d2edb37a4ae7e23d07e7
Opcode Fuzzy Hash: 6a56d5baf577c44d57f3e20dcbf7647f45bdeec86cfad76d7d1914cead2d813d
Instruction Fuzzy Hash: 4C120D35609351CFD308CF28E89062AB7E2FBCA314F1A897ED58987361C735E855CB86

Function 00440B70 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6a0c3482024ee74caf477a40cfa1322478a89b1bd54fa9475a7258ce2f22b7
Instruction ID: f90c38ff9e72a4fe20ba9a93d39119203032fbfc8634a908df2c931c2846c82c
Opcode Fuzzy Hash: ac6a0c3482024ee74caf477a40cfa1322478a89b1bd54fa9475a7258ce2f22b7
Instruction Fuzzy Hash: 43F1CB356083418FD708CF28D89062BB7E2FBCA314F1A897EE58587362D735E855CB86

Function 00418940 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2134b366a1760ef11f14de0064b00ff3e16771140db0db287bf4083c0bb3fac1
Instruction ID: fb00dc2e68562a37bdd15bb3a7f62d6c851c7f7d086d206b19ab67cef5b04ab2
Opcode Fuzzy Hash: 2134b366a1760ef11f14de0064b00ff3e16771140db0db287bf4083c0bb3fac1
Instruction Fuzzy Hash: 59C14472A08300CBD714DF28DC426ABB3B1FF95354F09492DF8859B391EB78A945C79A

Function 00428D29 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc98e9c7dd6e4b6e85c3a928dd33e89dda853881eae0a8fa23e99e14fa8da12a
Instruction ID: 112078e51580776b4e9e4f58901c99177dc93c5f07a615ba58f0638573629e45
Opcode Fuzzy Hash: cc98e9c7dd6e4b6e85c3a928dd33e89dda853881eae0a8fa23e99e14fa8da12a
Instruction Fuzzy Hash: B0C19A756092518FC704CF24E89166FB7E2AF96308F49487EE4C6C7252EF38D90AC75A

Function 0042D6C8 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88af8170904804a7d0020232840b4c71a77997f94cba6055a799f0a6142550d7
Instruction ID: 4ee63f0925b7386c42d62712607e9bfee8022eb8401c5c06794af8bcfc92d225
Opcode Fuzzy Hash: 88af8170904804a7d0020232840b4c71a77997f94cba6055a799f0a6142550d7
Instruction Fuzzy Hash: 6CA114B5B487908BE3318F39D8D17A3BBE1AF57300F58456EE4E787342D229A409CB59

Function 00442290 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 539848724c32a1c4fc40c9fd6081c432450a1d177c7f86047df7e86513955c9c
Instruction ID: 4a32f6aa2b1b11b95e63f0ff81ad791ab471a11b0e73bc64559113273958c6a2
Opcode Fuzzy Hash: 539848724c32a1c4fc40c9fd6081c432450a1d177c7f86047df7e86513955c9c
Instruction Fuzzy Hash: F8A1CE31A082119BD724CF28C990A2BB3F2FB99310F59892DF9819B361D779EC01C786

Function 0041FC3A Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c77dd23ac86e0a625af3ffadb9eb886f40ce4eee6db897156700cd9158fd60f
Instruction ID: 20ed6c3d53994d3d7162c7c5f4acd7234d7d63338d46b3e8b6829906f94cd5ae
Opcode Fuzzy Hash: 7c77dd23ac86e0a625af3ffadb9eb886f40ce4eee6db897156700cd9158fd60f
Instruction Fuzzy Hash: 6851E3B16093409BC7048F24E9516BBBBF1EFD6354F18993DE48A4B3A1E739C506CB4A

Function 00427BD0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecad2b91bc38b5014def78d05135141a8af74c4435fabdeec9293e7e67e96bb
Instruction ID: b7faabdfa8c371baa05f56c7cb7db59bf0a8bd37dfac5dbe74f8f3e1555323c0
Opcode Fuzzy Hash: eecad2b91bc38b5014def78d05135141a8af74c4435fabdeec9293e7e67e96bb
Instruction Fuzzy Hash: 8671F3B060C3148BC7189F25D89276BBBF1EFD2354F48892DE5D68B391E7788905CB86

Function 0042A0D0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20842e95098d7eb669ec80dec43989c5eade9e8e4709bf7e87c49858098f3b7e
Instruction ID: 65381dc90960bc1cd06a9124b589d7b4e89aa7619d3cbd42644a563df5e27088
Opcode Fuzzy Hash: 20842e95098d7eb669ec80dec43989c5eade9e8e4709bf7e87c49858098f3b7e
Instruction Fuzzy Hash: 0951E972A14B294BD718CE2DD85063AB2D29BC8214F5A833DDD6A9F382EE349C15C785

Function 00421B80 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf3fa46155570ff4c8e3f3d4ae7caeb2f5a2398289385e270b914e6daf620c4
Instruction ID: 97f62fc33c66449d1f8f2f76a82d27421b6255d0e90bdf4a09407bb281328cba
Opcode Fuzzy Hash: 3bf3fa46155570ff4c8e3f3d4ae7caeb2f5a2398289385e270b914e6daf620c4
Instruction Fuzzy Hash: E2411479A08350EFE3009F65EC81A5B7BE8EB9B314F04493EF58487291E7749509CB9A

Function 0041E2CC Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d24a2021001057fd710544f58260f0c63aad46ede6e21fff8df71bfafaa8661
Instruction ID: faed14dc05694e67e81a86e506b64ba0db0882dc5eada52c38f3a111e057c3b0
Opcode Fuzzy Hash: 8d24a2021001057fd710544f58260f0c63aad46ede6e21fff8df71bfafaa8661
Instruction Fuzzy Hash: 8041253060C3819BD3148F3AC89036BBFE19FD6314F58496EF4D2D7292CA38C5468B1A

Function 0041DE43 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca77722e271a27a04035726bd15c6258ce8207ffadf0341bd8338955f0596de
Instruction ID: 5609afcc5b494e49d94576dddfc0d973be8b5eb10ef618c1ae57d507d62e4568
Opcode Fuzzy Hash: fca77722e271a27a04035726bd15c6258ce8207ffadf0341bd8338955f0596de
Instruction Fuzzy Hash: F731F7B550D3814BC314CF2580A06ABBFE29FD3244F58586EE0C28B356D735C986CB17

Function 0040C735 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d896cb0534938b63848afd9262064bbd80fbeb123036ff67c9a22f78c8e93d
Instruction ID: 814d890e8a7db0d3db8d60f3eb929edd3ea4bc8ac05e86bb34b8b717884bc74b
Opcode Fuzzy Hash: 59d896cb0534938b63848afd9262064bbd80fbeb123036ff67c9a22f78c8e93d
Instruction Fuzzy Hash: 0221CD3524C3818BD314CF65C8D575AFBE2EBC6200F28892DD28497291D7BAA8008B5A

Function 004372C0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: e3e8860c9f9ee42487325751bb1dc9396eea365b28f9343348cba3093dd45d4a
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 80112C336481D44EC3268D3C84405A57F930B97234F2953DAFCF5972D2D6268D8BD359

Function 0042C2D0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460aac6c710dc6c71d371665c2d02016bb3ea6e4d012f23c085e26f92afde929
Instruction ID: d2565897ed00ce9429ce61ede6d38bf285fa3b6ebe4230a873498cf096a8ee92
Opcode Fuzzy Hash: 460aac6c710dc6c71d371665c2d02016bb3ea6e4d012f23c085e26f92afde929
Instruction Fuzzy Hash: E40192B1B0071157D720DE55A4C0B2FB2A85F55708F48483ED8449B341DB79EC06C6E9

Function 00429C04 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f26d876611aa4976d5f3d35445694510ebb5879da86f55700066f472dc5422
Instruction ID: f8fdce763bb526cf98760ea9e6cb5f792b95f16548652e707cd4fc9150cb4326
Opcode Fuzzy Hash: c5f26d876611aa4976d5f3d35445694510ebb5879da86f55700066f472dc5422
Instruction Fuzzy Hash: DE01F772B487208BD714CF15A88126BB3D0BB9A710F69593EC8855B301C278CC0287CE

Function 00402840 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af34922b851d91932bd9f075fab953b54afaf77b73c28dd8ce722a3f4ffb55a
Instruction ID: fa84490f64ef41be1947fc82ed0ddb0643bd7411b78c8fbf36df2230d191d5a0
Opcode Fuzzy Hash: 4af34922b851d91932bd9f075fab953b54afaf77b73c28dd8ce722a3f4ffb55a
Instruction Fuzzy Hash: ACF0E03F7162150BE210ED75DCC4527F7A6E7CA71471D863AE941E73C1C571E901C169

Function 0043FE30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b3426912e03ee3bea23f66fbc48b5ae7fdeefc9db7390dce3ef53e08a42998
Instruction ID: 576928add09ae7ed23ea181f99465bb143299d5f7d63851dc038db765bb75d83
Opcode Fuzzy Hash: 27b3426912e03ee3bea23f66fbc48b5ae7fdeefc9db7390dce3ef53e08a42998
Instruction Fuzzy Hash: 1FF02430E0828057C7088B388C8067FB7B6EFC6704F04943CE4864B2A1D630DC42CB59

Function 0041E8E0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1f8893282dc18c202b76351a5bf44f6d5e75c83bb6ba2b2a30ef6f57fc88ea
Instruction ID: 7eb8e9a8c1467d5811663a4e9071ec539e800edd265451a786a5442e76b8f6b0
Opcode Fuzzy Hash: 4d1f8893282dc18c202b76351a5bf44f6d5e75c83bb6ba2b2a30ef6f57fc88ea
Instruction Fuzzy Hash: 78C08CB8D2800043C608CB64AD82832B23CAB07308B00303EA903E3382CE30D102858E

Function 00427BA8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53faba70a55ff728e98a723c92bc287c215737c497e09fcd62f3306ae01d1165
Instruction ID: 2e208ae81b19971235408ca8f4270714dff0b229d2616355d188d37c1df3523b
Opcode Fuzzy Hash: 53faba70a55ff728e98a723c92bc287c215737c497e09fcd62f3306ae01d1165
Instruction Fuzzy Hash: 86B01271E0421043D1449F245D524B6B3345E2B349F06383CDD4D7B291ED25ED0142CD

Function 0041FC24 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c785526d00eb928e0f9580a3695a1bfd7b6f6afe8fd1a9bf4476c78301f00a7f
Instruction ID: d8e404f6a9370ce95e3b6f546625508bf34688b767ae864c98d1739270bffd44
Opcode Fuzzy Hash: c785526d00eb928e0f9580a3695a1bfd7b6f6afe8fd1a9bf4476c78301f00a7f
Instruction Fuzzy Hash: 77A002F9C5D500DBD5015F117D02475F5386A1B309F04347D944A37153AA35D11A854E

Function 00BF4CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00BF4CB6
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00BF4CC4
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00BF4CD5
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00BF4CE6
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00BF4CF7
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00BF4D08
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00BF4D19
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00BF4D2A
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00BF4D3B
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00BF4D4C
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00BF4D5D
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00BF4D6E
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00BF4D7F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00BF4D90
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00BF4DA1
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00BF4DB2
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00BF4DC3
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00BF4DD4
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00BF4DE5
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00BF4DF6
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00BF4E07
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00BF4E18
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00BF4E29
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00BF4E3A
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00BF4E4B
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00BF4E5C
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BF4E6D
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00BF4E7E
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BF4E8F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BF4EA0
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00BF4EB1
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00BF4EC2
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00BF4ED3
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00BF4EE4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00BF4EF5
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00BF4F06
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00BF4F17
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00BF4F28
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00BF4F39
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00BF4F4A
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00BF4F5B

Strings

kernel32.dll, xrefs: 00BF4CB1
GetFileInformationByHandleEx, xrefs: 00BF4E2F
CreateSemaphoreExW, xrefs: 00BF4D41
GetLocaleInfoEx, xrefs: 00BF4F3F
GetTickCount64, xrefs: 00BF4E1E
CompareStringEx, xrefs: 00BF4F2E
SleepConditionVariableSRW, xrefs: 00BF4EEA
CreateThreadpoolWait, xrefs: 00BF4D96
InitializeCriticalSectionEx, xrefs: 00BF4CFD
SetFileInformationByHandle, xrefs: 00BF4E40
CreateThreadpoolWork, xrefs: 00BF4EFB
ReleaseSRWLockExclusive, xrefs: 00BF4ED9
WaitForThreadpoolTimerCallbacks, xrefs: 00BF4D74
GetSystemTimePreciseAsFileTime, xrefs: 00BF4E51
InitializeConditionVariable, xrefs: 00BF4E62
CreateEventExW, xrefs: 00BF4D1F
SetThreadpoolWait, xrefs: 00BF4DA7
CloseThreadpoolWork, xrefs: 00BF4F1D
FlsGetValue, xrefs: 00BF4CDB
CloseThreadpoolWait, xrefs: 00BF4DB8
CreateSemaphoreW, xrefs: 00BF4D30
FlsAlloc, xrefs: 00BF4CBE
CreateThreadpoolTimer, xrefs: 00BF4D52
FreeLibraryWhenCallbackReturns, xrefs: 00BF4DDA
GetCurrentProcessorNumber, xrefs: 00BF4DEB
FlushProcessWriteBuffers, xrefs: 00BF4DC9
CloseThreadpoolTimer, xrefs: 00BF4D85
WakeAllConditionVariable, xrefs: 00BF4E84
SetThreadpoolTimer, xrefs: 00BF4D63
FlsFree, xrefs: 00BF4CCA
FlsSetValue, xrefs: 00BF4CEC
LCMapStringEx, xrefs: 00BF4F50
AcquireSRWLockExclusive, xrefs: 00BF4EB7
TryAcquireSRWLockExclusive, xrefs: 00BF4EC8
GetCurrentPackageId, xrefs: 00BF4E0D
SubmitThreadpoolWork, xrefs: 00BF4F0C
InitOnceExecuteOnce, xrefs: 00BF4D0E
SleepConditionVariableCS, xrefs: 00BF4E95
InitializeSRWLock, xrefs: 00BF4EA6
WakeConditionVariable, xrefs: 00BF4E73
CreateSymbolicLinkW, xrefs: 00BF4E01

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 3cfce96934d69dd3d158a8b956612afe0409a45614df97f061387e2387a46452
Instruction ID: 9959169181646adab859ff2cf698aef191d30503674ef9c0f2b1253e83465059
Opcode Fuzzy Hash: 3cfce96934d69dd3d158a8b956612afe0409a45614df97f061387e2387a46452
Instruction Fuzzy Hash: AB610471996360ABD7006FF4AC8DBCE3BE8EB197053024626B141D32E3DBB56191CF64

Function 004333D0 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043348F

Strings

,, xrefs: 0043359D
, xrefs: 004333FE
>, xrefs: 004335ED
x, xrefs: 0043353D
<, xrefs: 0043364D
T, xrefs: 0043352D
, xrefs: 0043351D
1, xrefs: 0043366D
8, xrefs: 004335AD
1, xrefs: 004335FD
^, xrefs: 0043357D
3, xrefs: 004333DE
(, xrefs: 0043350D
5, xrefs: 0043360D
{, xrefs: 0043358D
r, xrefs: 004334FD
', xrefs: 004333EE
t, xrefs: 004334CD
0, xrefs: 0043378D
y, xrefs: 004334AD

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: $ $'$($,$0$1$1$3$5$8$<$>$T$^$r$t$x$y${
API String ID: 2525500382-1841347086
Opcode ID: 818d85a0ea2b023b33c2a33ca6933671fdb742dd6ef14d2c9671074d93d2d9d1
Instruction ID: 570b572c3c54cc1499fd5753c0e4fd5a8489637ff990fe0945057fc29aa57589
Opcode Fuzzy Hash: 818d85a0ea2b023b33c2a33ca6933671fdb742dd6ef14d2c9671074d93d2d9d1
Instruction Fuzzy Hash: FFA14A2150C7C28ED332CA7C984879FBED15BA7224F088FAED4E95B3D6D6B905058763

Function 004339CB Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 86COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004339D5
VariantInit.OLEAUT32 ref: 004339E8

Strings

$, xrefs: 00433A03
1, xrefs: 00433A77
+, xrefs: 00433A0D
$, xrefs: 00433A37
6, xrefs: 00433A27
+, xrefs: 00433A47
5, xrefs: 00433A57
7, xrefs: 00433A17
?, xrefs: 00433A87
1, xrefs: 00433A97

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: $$$$+$+$1$1$5$6$7$?
API String ID: 2610073882-4195322957
Opcode ID: 580291f8eac7a1d9df24ce8ce0fe9aff7cdb7ea3e79fe2658b2b0c9eae0174ef
Instruction ID: 1c114ccee86385374ba3b9b58fb2cb092864f2fffa6531df4b4df5d1ff8db559
Opcode Fuzzy Hash: 580291f8eac7a1d9df24ce8ce0fe9aff7cdb7ea3e79fe2658b2b0c9eae0174ef
Instruction Fuzzy Hash: FE41297150C7C18EE336DB38884879BBFD16B96224F088A6DD4E9873E2DB748106DB57

Function 00433C31 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 62COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00433C77

Strings

9, xrefs: 00433CAB
', xrefs: 00433CB5
%, xrefs: 00433CBF
+, xrefs: 00433CF1
-, xrefs: 00433CE7
#, xrefs: 00433CC9
!, xrefs: 00433CD3
), xrefs: 00433CFB
/, xrefs: 00433CDD
;, xrefs: 00433CA1

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: !$#$%$'$)$+$-$/$9$;
API String ID: 1927566239-2318925594
Opcode ID: 9a8798a7cf2a08264102e898d666530a88ac105aadc7abc71ea7da5921570dc0
Instruction ID: 0b91b9d2b85bc151d5db95ae92e5f5f09ae82256a3b53e40a0bdbe0a064fea7b
Opcode Fuzzy Hash: 9a8798a7cf2a08264102e898d666530a88ac105aadc7abc71ea7da5921570dc0
Instruction Fuzzy Hash: FB31C37050C7C1CED3228B78944879ABFD15BA6324F084A9DE1E48B3E2C7B98445C767

Function 00BF90D3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00BF91F2
___TypeMatch.LIBVCRUNTIME ref: 00BF9300
CatchIt.LIBVCRUNTIME ref: 00BF9351
_UnwindNestedFrames.LIBCMT ref: 00BF9452
CallUnexpected.LIBVCRUNTIME ref: 00BF946D

Strings

csm, xrefs: 00BF917D
csm, xrefs: 00BF9110
csm, xrefs: 00BF9229

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 42d19533d0b5f1305d0ec276a46a889a3d5c054791b3a721ca247fe90a847419
Instruction ID: 04117debde8519069a5227cd13b65fd4c2c80f98dd166eb16bdd7d6052d05918
Opcode Fuzzy Hash: 42d19533d0b5f1305d0ec276a46a889a3d5c054791b3a721ca247fe90a847419
Instruction Fuzzy Hash: 10B1397180020DEFCF25DFA4C881ABEB7F5FF14310B1441AAEA156B256D731DA5ACB91

Function 00C00308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,00C002F3,?,?,?,?,?,?,?,?,?), ref: 00C003AE
__alloca_probe_16.LIBCMT ref: 00C00469
__alloca_probe_16.LIBCMT ref: 00C004F8
__freea.LIBCMT ref: 00C00543
__freea.LIBCMT ref: 00C00549
__freea.LIBCMT ref: 00C0057F
__freea.LIBCMT ref: 00C00585
__freea.LIBCMT ref: 00C00595

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: eb4df782d4a3229a1de8fc708ead121012f701500d8fd36aacc1f244c8a13754
Instruction ID: 144af6810fc16bcbcaebad062a710007ea130d5a5a7266b93fdb72381e8fb8c3
Opcode Fuzzy Hash: eb4df782d4a3229a1de8fc708ead121012f701500d8fd36aacc1f244c8a13754
Instruction Fuzzy Hash: E971B372A002499BDF219B94CC41FBF7BE99F49310F3A0059EA24A72D1E775DE04CB59

Function 00BF9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00BF9EE2,00BF41E0,?,00000000,?,?,?,00BF9BEB,00000022,FlsSetValue,00C03DDC,00C03DE4,?), ref: 00BF9E94

Strings

api-ms-, xrefs: 00BF9E2A
ext-ms-, xrefs: 00BF9E3E

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e17affb814c991920ba91e83641929e52070b7b8a698b84b2bd69f8900b0bacf
Instruction ID: ed0e822b1a5da0cbf6fd5f9c47287e29f14db6caee0e19ada2032e32a0482e19
Opcode Fuzzy Hash: e17affb814c991920ba91e83641929e52070b7b8a698b84b2bd69f8900b0bacf
Instruction Fuzzy Hash: 0021A831A00215ABD721DB65DC41B7E7798EF81B60B260160EE55E7295DB30ED0DC6D0

Function 00BEBEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00BEBF10

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1cb0ba45040e6117bcbd1e587e0d18aa94b4332f0d3e937d08f5292f4b24afa6
Instruction ID: 4d294faba41fc6ffa8bdd8516b629874675f20ef1cdc93af38bfe617282d2ae2
Opcode Fuzzy Hash: 1cb0ba45040e6117bcbd1e587e0d18aa94b4332f0d3e937d08f5292f4b24afa6
Instruction Fuzzy Hash: 4C7156B4904249CFCB04DFADD598AAEFFF0EB08700F1085AAE846AB351D73499459F92

Function 00BF883A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BF8831,00BF5F0D,00BF55A4), ref: 00BF8848
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BF8856
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BF886F
SetLastError.KERNEL32(00000000,00BF8831,00BF5F0D,00BF55A4), ref: 00BF88C1

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 113dd8a7bd8eba330b30d106147afc28f4779c5ef05fd42d17258e3a891d0b25
Instruction ID: 2a931cccd6dd1ac0e9e4b4a1c6490fbe1bfbe355e8d1dd584ee84283b2524d6b
Opcode Fuzzy Hash: 113dd8a7bd8eba330b30d106147afc28f4779c5ef05fd42d17258e3a891d0b25
Instruction Fuzzy Hash: 3A01B5321192195DEA241BB47C86B3E27D5EB127F476103A9F320470F1EF524C09A244

Function 00BF6F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00C025EB,000000FF,?,00BF7015,?,?,00BF70B1,00000000), ref: 00BF6F89
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BF6F9B
FreeLibrary.KERNEL32(00000000,?,00000000,00C025EB,000000FF,?,00BF7015,?,?,00BF70B1,00000000), ref: 00BF6FBD

Strings

CorExitProcess, xrefs: 00BF6F93
mscoree.dll, xrefs: 00BF6F82

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6a3b9cde30973e58df25852b68efc72735822e80280660b91068c36b71907a6a
Instruction ID: e515fec78754dfbfea5829818a83c376bf4c00ebc707a7ba403d3c5b705c426a
Opcode Fuzzy Hash: 6a3b9cde30973e58df25852b68efc72735822e80280660b91068c36b71907a6a
Instruction Fuzzy Hash: 1501623194462AABDB118F90DC09FAEB7B8FB04B15F050525F811A26D0DB759904CA90

Function 00BFDF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00BFDFA2
__alloca_probe_16.LIBCMT ref: 00BFE06B
__freea.LIBCMT ref: 00BFE0D2

Part of subcall function 00BFBC45: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BF41E0,?,?,00BF1007,?,00BEFAB5), ref: 00BFBC77

__freea.LIBCMT ref: 00BFE0E5
__freea.LIBCMT ref: 00BFE0F2

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 8da4a379f1e71eb86dcb83530ec493ec51ef0869d65d5c618fec4dc81dc7ed8b
Instruction ID: b114c4d10f57c2b549fcc239925604a170edb09b154b50d8fc8045590f6a6c4e
Opcode Fuzzy Hash: 8da4a379f1e71eb86dcb83530ec493ec51ef0869d65d5c618fec4dc81dc7ed8b
Instruction Fuzzy Hash: 1351907260024EABEB215E70CC82EBB76EAEF44710B1545B9FB25D7161EFB1CC58C660

Function 00BF94F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00BF93FE,?,?,00000000,00000000,00000000,?), ref: 00BF951D
CatchIt.LIBVCRUNTIME ref: 00BF9603

Strings

RCC, xrefs: 00BF9537
MOC, xrefs: 00BF952F

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 23bbadab086711b2d6e2d53838525b51e8408e561e55cc36d6646e71e5f905ed
Instruction ID: 9233295e5f34a4b44bdfdf3f2e13326d48553394d5f89e71a1092b7d36d0d8f1
Opcode Fuzzy Hash: 23bbadab086711b2d6e2d53838525b51e8408e561e55cc36d6646e71e5f905ed
Instruction Fuzzy Hash: 6A41467190020DAFDF16DF98CD81AAEBBF5FF48300F188099FA05AB221D7359954DB50

Function 00BFDC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00BFDCFA,00000000,?,00C0CCD0,?,?,?,00BFDC31,00000004,InitializeCriticalSectionEx,00C046F8,00C04700), ref: 00BFDC6B
GetLastError.KERNEL32(?,00BFDCFA,00000000,?,00C0CCD0,?,?,?,00BFDC31,00000004,InitializeCriticalSectionEx,00C046F8,00C04700,00000000,?,00BF971C), ref: 00BFDC75
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00BFDC9D

Strings

api-ms-, xrefs: 00BFDC82

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d7cd564992babcfcfdd1d69d6d40d1239493b4136ff09be19c2ecd4859f5fd4c
Instruction ID: 163ffecce80257001ea825d951d2f1a501dec059acd330de694f3c54f5a18959
Opcode Fuzzy Hash: d7cd564992babcfcfdd1d69d6d40d1239493b4136ff09be19c2ecd4859f5fd4c
Instruction Fuzzy Hash: 94E04830240209BBEF112F91DC06B6D7F95EB01B54F104070FA0DE90E1EBB29815C544

Function 00BFE5E8 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00BFE64B

Part of subcall function 00BFD131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,00BF87B1,?,00000000,?), ref: 00BFD192

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BFE89D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00BFE8E3
GetLastError.KERNEL32 ref: 00BFE986

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3839a37b69e994d16b175b44a5c8cf0386c3f7ab743ff0d12de9c70ccf78d17d
Instruction ID: c040e13a5ea7cc5aadb04dc121bdd8ee1741d9b5b001453a82ad0eb5e71213a6
Opcode Fuzzy Hash: 3839a37b69e994d16b175b44a5c8cf0386c3f7ab743ff0d12de9c70ccf78d17d
Instruction Fuzzy Hash: 40D15A75D0025C9FCF15CFA8C880ABDBBF5EF09314F1885AAE665EB261D630E945CB60

Function 00BF8EFC Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00BF8FC3
___AdjustPointer.LIBCMT ref: 00BF8FE6
___AdjustPointer.LIBCMT ref: 00BF9082

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 21586bf9c430cab1da1cc86d1d8d94266007cc8352c74b0214fb7454557efd86
Instruction ID: e343cfc444d9f41a74c62a7c2d6664d9bbc7cbf44f7c5264f811b3fbd210ad3b
Opcode Fuzzy Hash: 21586bf9c430cab1da1cc86d1d8d94266007cc8352c74b0214fb7454557efd86
Instruction Fuzzy Hash: F851E17260560EAFEB298F64D841BBA77E5FF40300F1445ADEB459B2A1EB31EC58C790

Function 00BFC5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00BFD131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,00BF87B1,?,00000000,?), ref: 00BFD192

GetLastError.KERNEL32 ref: 00BFC61C
__dosmaperr.LIBCMT ref: 00BFC623
GetLastError.KERNEL32(?,?,?,?), ref: 00BFC65D
__dosmaperr.LIBCMT ref: 00BFC664

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 41ed5da6687d43c1f3e6548c350c844fc51af749f9bdb60c6c59d491f687d96e
Instruction ID: 6ca332834d6449d38d398a87a7aa65955b4245359e5580309a9545fab2d7eaa4
Opcode Fuzzy Hash: 41ed5da6687d43c1f3e6548c350c844fc51af749f9bdb60c6c59d491f687d96e
Instruction Fuzzy Hash: A921A17160420EBF9B10AF65CA81D7ABBE9EF553647208598FA25D7511DB30EC88CB90

Function 00BFCB54 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f49a7d3f42fecc96f9455218c77b9322a386cf43f27ef1a4a5dc9a9506d15f
Instruction ID: c8dd7db305483ed6bbdcbf04e1915b3659bc80e7d541be1c11e5ee5691e35877
Opcode Fuzzy Hash: a8f49a7d3f42fecc96f9455218c77b9322a386cf43f27ef1a4a5dc9a9506d15f
Instruction Fuzzy Hash: E721F37520020DAFDB20AF65DE82E3A7BE8EF403A47104595FA29D7152DB30ECC8D790

Function 00BFD22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BFD235

Part of subcall function 00BFD131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,00BF87B1,?,00000000,?), ref: 00BFD192

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BFD26D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BFD28D

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: a7bfa8cc8b712d6bb15d5d5a6f12b6c91e0297e73a823b91a2afe183abe37988
Instruction ID: 5168879ea0987e53118d710b18d15d369b3db7f23726b5bb1520c35a8282f799
Opcode Fuzzy Hash: a7bfa8cc8b712d6bb15d5d5a6f12b6c91e0297e73a823b91a2afe183abe37988
Instruction Fuzzy Hash: E611A1B650151D7EA72127B1DC89EBF69EEDE853A47500095FB0193102FF70CE0A85B1

Function 00C007C0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00BFFF31,00000000,00000001,00000000,?,?,00BFE9DA,?,00000000,00000000), ref: 00C007D7
GetLastError.KERNEL32(?,00BFFF31,00000000,00000001,00000000,?,?,00BFE9DA,?,00000000,00000000,?,?,?,00BFE320,00000000), ref: 00C007E3

Part of subcall function 00C00840: CloseHandle.KERNEL32(FFFFFFFE,00C007F3,?,00BFFF31,00000000,00000001,00000000,?,?,00BFE9DA,?,00000000,00000000,?,?), ref: 00C00850

___initconout.LIBCMT ref: 00C007F3

Part of subcall function 00C00815: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C007B1,00BFFF1E,?,?,00BFE9DA,?,00000000,00000000,?), ref: 00C00828

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00BFFF31,00000000,00000001,00000000,?,?,00BFE9DA,?,00000000,00000000,?), ref: 00C00808

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ceccd652282d32dcf265b3515b0f2f34a0895bc1a58ba485c0419ad92deac955
Instruction ID: b31d9c7b2fe400462d77590c9afb78888f7205bc9d7bac1951edb179a5f6b1f1
Opcode Fuzzy Hash: ceccd652282d32dcf265b3515b0f2f34a0895bc1a58ba485c0419ad92deac955
Instruction Fuzzy Hash: 73F0F836000118BBCF221FD1DC08BCE3F2AFF087A1F12C521FA18851A2C6728920EB90

Function 00BF8D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00BF8D75

Strings

csm, xrefs: 00BF8D97
csm, xrefs: 00BF8E08

Memory Dump Source

Source File: 00000002.00000002.1723687187.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000002.00000002.1723669046.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723713497.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723725907.0000000000C0B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723740791.0000000000C0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1723756324.0000000000C11000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_be0000_injector V2.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 1ead65938a8827f4dd5abd66fbe1bd295556aa328bf74aa7f2332466cebe2109
Instruction ID: d254e3d8e2ea2efce9dd2f5fdd4258fe3f9863068b5f3cfe3e5fc67560883818
Opcode Fuzzy Hash: 1ead65938a8827f4dd5abd66fbe1bd295556aa328bf74aa7f2332466cebe2109
Instruction Fuzzy Hash: C231D57A51025DEFCF265F50CC449BA7BA6FF08314B1845DAFA484B121CB32DD65DB81

Function 004352EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00435304
GetSystemMetrics.USER32 ref: 00435313

Strings

, xrefs: 004353E7

Memory Dump Source

Source File: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_injector V2.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 38954951f3ba3e7ac5d0127244267ae8f51cf88d03f4621cb630b5b48878d9df
Instruction ID: e95367249cb40d38ae3590277ff75c06c1e6eb410077034cee7531267ac6647e
Opcode Fuzzy Hash: 38954951f3ba3e7ac5d0127244267ae8f51cf88d03f4621cb630b5b48878d9df
Instruction Fuzzy Hash: 2F414EB4D046188FCB44EFACD98569DBBF0BB89310F11852EE898E7350D774A944CF96

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.44.93:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.44.93:443

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.44.93:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.44.93:443

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: farewellnzu.icu
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00402840
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h	2_2_0042A0D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_0042F8D5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp eax	2_2_0041E8E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ebx, dword ptr [esp+38h]	2_2_004260E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_004260E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-1Fh]	2_2_0044088C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	2_2_0044088C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00418940
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	2_2_0042A970
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-0E5C990Fh]	2_2_0041E902
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042D120
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh	2_2_0043D1D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000B1h]	2_2_00423250
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_004372C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov dword ptr [esp+04h], edi	2_2_0041E2CC
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042C2D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	2_2_00442290
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	2_2_00442290
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_00426350
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	2_2_0042AB59
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042F36A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	2_2_00440B70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	2_2_0041F310
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+5261BF7Ah]	2_2_0042DB30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then inc eax	2_2_00420BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	2_2_00420BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	2_2_00427BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-2D7FD463h]	2_2_0041EBFA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp eax	2_2_00421B80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_00427BA8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_0042FC7B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	2_2_00429C04
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-07h]	2_2_00428C20
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp dword ptr [00447DC0h]	2_2_0041FC24
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [ecx], bp	2_2_0041FC3A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	2_2_0041FC3A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00424480
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_00426490
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+2Ch]	2_2_00407570
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	2_2_00407570
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp al, 2Eh	2_2_00428D29
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+38h]	2_2_0041DE43
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EE1E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then lea esi, dword ptr [ecx-10h]	2_2_0043FE30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	2_2_0042A6C2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ecx], bl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ecx], bl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004246E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EEEB
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EEFD
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-65ACAA80h]	2_2_00409690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-1Fh]	2_2_00440690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	2_2_00440690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EEA3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-735E2241h]	2_2_0042B6AA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	2_2_0042970D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	2_2_00429725
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E1h]	2_2_0040C735
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov dword ptr [ecx], 21A62724h	2_2_0040AFF0

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report injector V2.4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
injector V2.4.exe

Function 00C0B18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00BF9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00BEBEB0 Relevance: 9.2, APIs: 6, Instructions: 173
fileCOMMON

Function 00BF6CE6 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 00BF6FEF Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00BFA732 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00BF6E00 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 00BFB0CB Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00BF3B60 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Function 00BF9E9E Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Function 00BECD90 Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Function 00BFBC45 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON