Edit tour

Windows Analysis Report
xLauncher.exe

Overview

General Information

Sample name:	xLauncher.exe
Analysis ID:	1561476
MD5:	ceaca4a19229c3283007e714466f51f8
SHA1:	e70dfeeea1cdfeae4da1e97d602867436062550d
SHA256:	e6e0f35cd360401b1973626cb35b635e86bd272b115852f07e434ac3fea0977a
Tags:	exeuser-4k95m
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

xLauncher.exe (PID: 5824 cmdline: "C:\Users\user\Desktop\xLauncher.exe" MD5: CEACA4A19229C3283007E714466F51F8)

conhost.exe (PID: 3140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xLauncher.exe (PID: 5660 cmdline: "C:\Users\user\Desktop\xLauncher.exe" MD5: CEACA4A19229C3283007E714466F51F8)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["fumblingactor.cyou"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2049629011.0000000002A82000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.xLauncher.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.xLauncher.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:27:47.794213+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	172.67.155.47	443	TCP
2024-11-23T14:27:49.770829+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	172.67.155.47	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:27:48.490580+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	172.67.155.47	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:27:48.490580+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	172.67.155.47	443	TCP

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: fumblingactor.cyou
Source: global traffic	DNS traffic detected: DNS query: frogs-severz.sbs

Source: unknown

Source: xLauncher.exe, 00000003.00000003.2090719242.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microx
Source: xLauncher.exe, 00000003.00000002.2092497554.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/
Source: xLauncher.exe, 00000003.00000003.2090439029.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092497554.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api
Source: xLauncher.exe, 00000003.00000003.2090784874.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092435196.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api6C
Source: xLauncher.exe, 00000003.00000002.2092497554.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apil
Source: xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs:443/api
Source: xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs:443/apibcryptPrimitives.dll
Source: xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou:443/apiS

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 3_2_00434730 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00434730

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 3_2_00434730 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00434730

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DF4D0	0_2_005DF4D0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E34D0	0_2_005E34D0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DF980	0_2_005DF980
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E15A0	0_2_005E15A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DCE70	0_2_005DCE70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005D86C0	0_2_005D86C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005F1FD2	0_2_005F1FD2
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DD7F0	0_2_005DD7F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00408A40	3_2_00408A40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00439390	3_2_00439390
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040CC6D	3_2_0040CC6D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00419040	3_2_00419040
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00404860	3_2_00404860
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00438860	3_2_00438860
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00439010	3_2_00439010
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041E8DE	3_2_0041E8DE
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040D8EB	3_2_0040D8EB
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004098F0	3_2_004098F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004400A0	3_2_004400A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040517E	3_2_0040517E
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042F112	3_2_0042F112
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00441920	3_2_00441920
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004259E0	3_2_004259E0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041C1F8	3_2_0041C1F8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042E180	3_2_0042E180
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00428240	3_2_00428240
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042A210	3_2_0042A210
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042CACE	3_2_0042CACE
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00405A80	3_2_00405A80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00402AA0	3_2_00402AA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004212B0	3_2_004212B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042EB6D	3_2_0042EB6D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042830C	3_2_0042830C
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040B320	3_2_0040B320
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00425B30	3_2_00425B30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004273C0	3_2_004273C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00439BC0	3_2_00439BC0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041A3D7	3_2_0041A3D7
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00423380	3_2_00423380
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043FBA0	3_2_0043FBA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041ABA4	3_2_0041ABA4
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004203B0	3_2_004203B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00441C40	3_2_00441C40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00421450	3_2_00421450
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042EC59	3_2_0042EC59
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00406C20	3_2_00406C20
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042D424	3_2_0042D424
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00440430	3_2_00440430
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_004034C0	3_2_004034C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043C4F0	3_2_0043C4F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00409480	3_2_00409480
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043CC90	3_2_0043CC90
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042EC98	3_2_0042EC98
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00428CA8	3_2_00428CA8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042ECA8	3_2_0042ECA8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00408D40	3_2_00408D40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00429D4A	3_2_00429D4A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00427D60	3_2_00427D60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043BD60	3_2_0043BD60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0040AD70	3_2_0040AD70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041D500	3_2_0041D500
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042CD16	3_2_0042CD16
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042C5F0	3_2_0042C5F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00408580	3_2_00408580
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00423E40	3_2_00423E40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00406670	3_2_00406670
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00438600	3_2_00438600
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041FE10	3_2_0041FE10
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00441620	3_2_00441620
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00403E80	3_2_00403E80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00419E93	3_2_00419E93
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042CE91	3_2_0042CE91
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00425740	3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042AF60	3_2_0042AF60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0041F770	3_2_0041F770
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00407730	3_2_00407730
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0042C7C0	3_2_0042C7C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00429FD0	3_2_00429FD0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_0043FFE0	3_2_0043FFE0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_00405FA0	3_2_00405FA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DF4D0	3_2_005DF4D0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E34D0	3_2_005E34D0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DF980	3_2_005DF980
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E15A0	3_2_005E15A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DCE70	3_2_005DCE70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005D86C0	3_2_005D86C0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005F1FD2	3_2_005F1FD2
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DD7F0	3_2_005DD7F0

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: String function: 00408390 appears 41 times
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: String function: 005E55C0 appears 66 times
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: String function: 005E8178 appears 36 times

Source: xLauncher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xLauncher.exe

Static PE information: Section: .coS ZLIB complexity 1.0003360896915585

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@2/1

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 3_2_00439390 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_00439390

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3140:120:WilError_03

Source: xLauncher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xLauncher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xLauncher.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\xLauncher.exe

File read: C:\Users\user\Desktop\xLauncher.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xLauncher.exe "C:\Users\user\Desktop\xLauncher.exe"
Source: C:\Users\user\Desktop\xLauncher.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xLauncher.exe	Process created: C:\Users\user\Desktop\xLauncher.exe "C:\Users\user\Desktop\xLauncher.exe"
Source: C:\Users\user\Desktop\xLauncher.exe	Process created: C:\Users\user\Desktop\xLauncher.exe "C:\Users\user\Desktop\xLauncher.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: xLauncher.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: xLauncher.exe	Static PE information: section name: .00cfg
Source: xLauncher.exe	Static PE information: section name: .coS

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E4BC5 push ecx; ret		0_2_005E4BD8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E4BC5 push ecx; ret		3_2_005E4BD8

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E4CA2 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005E4CA2

Source: C:\Users\user\Desktop\xLauncher.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe

API coverage: 7.5 %

Source: C:\Users\user\Desktop\xLauncher.exe TID: 2448	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\xLauncher.exe TID: 2448	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005EC72A FindFirstFileExW,	0_2_005EC72A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005EC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_005EC7DB
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005EC72A FindFirstFileExW,	3_2_005EC72A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005EC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_005EC7DB

Source: xLauncher.exe, 00000003.00000002.2092435196.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090877079.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@!
Source: xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092435196.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090877079.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 3_2_0043E410 LdrInitializeThunk,

3_2_0043E410

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005E5444

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DCD10 mov eax, dword ptr fs:[00000030h]	0_2_005DCD10
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005FB18D mov edi, dword ptr fs:[00000030h]	0_2_005FB18D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005DBD50 mov edi, dword ptr fs:[00000030h]	0_2_005DBD50
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DBD50 mov edi, dword ptr fs:[00000030h]	3_2_005DBD50
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005DCD10 mov eax, dword ptr fs:[00000030h]	3_2_005DCD10

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E9F90 GetProcessHeap,

0_2_005E9F90

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005E5444
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E5438 SetUnhandledExceptionFilter,	0_2_005E5438
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005E7DCA
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 0_2_005E4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005E4AD9
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_005E5444
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E5438 SetUnhandledExceptionFilter,	3_2_005E5438
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_005E7DCA
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 3_2_005E4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_005E4AD9

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005FB18D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_005FB18D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\xLauncher.exe

Memory written: C:\Users\user\Desktop\xLauncher.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe

Process created: C:\Users\user\Desktop\xLauncher.exe "C:\Users\user\Desktop\xLauncher.exe"

Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E5200 cpuid

0_2_005E5200

Source: C:\Users\user\Desktop\xLauncher.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\xLauncher.exe

Code function: 0_2_005E58C5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005E58C5

Source: C:\Users\user\Desktop\xLauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 3.2.xLauncher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.xLauncher.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049629011.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 3.2.xLauncher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.xLauncher.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049629011.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xLauncher.exe	47%	ReversingLabs	Win32.Trojan.Lumma
xLauncher.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://frogs-severz.sbs/	0%	Avira URL Cloud	safe
http://crl.microx	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/api6C	0%	Avira URL Cloud	safe
fumblingactor.cyou	0%	Avira URL Cloud	safe
https://frogs-severz.sbs:443/apibcryptPrimitives.dll	0%	Avira URL Cloud	safe
https://frogs-severz.sbs:443/api	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/apil	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/api	0%	Avira URL Cloud	safe
https://fumblingactor.cyou:443/apiS	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
frogs-severz.sbs	172.67.155.47	true	false		high
fumblingactor.cyou	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
fumblingactor.cyou	true	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs/api	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://frogs-severz.sbs/apil	xLauncher.exe, 00000003.00000002.2092497554.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs:443/apibcryptPrimitives.dll	xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs/	xLauncher.exe, 00000003.00000002.2092497554.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002DE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs/api6C	xLauncher.exe, 00000003.00000003.2090784874.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092435196.0000000002D80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microx	xLauncher.exe, 00000003.00000003.2090719242.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090462860.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fumblingactor.cyou:443/apiS	xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs:443/api	xLauncher.exe, 00000003.00000003.2090462860.0000000002D53000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000003.2090784874.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, xLauncher.exe, 00000003.00000002.2092397115.0000000002D65000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.155.47	frogs-severz.sbs	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561476
Start date and time:	2024-11-23 14:26:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xLauncher.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 76% Number of executed functions: 26 Number of non-executed functions: 106
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: xLauncher.exe

Simulations

Behavior and APIs

Time	Type	Description
08:27:45	API Interceptor	3x Sleep call for process: xLauncher.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
frogs-severz.sbs	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	b.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	193.143.1.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.61
	Aura.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.33.116
	psol.txt.ps1	Get hash	malicious	LummaC	Browse	172.66.0.235
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	Aura.exe	Get hash	malicious	Unknown	Browse	172.67.155.47
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.155.47
	psol.txt.ps1	Get hash	malicious	LummaC	Browse	172.67.155.47
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.726569185399569
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xLauncher.exe
File size:	493'568 bytes
MD5:	ceaca4a19229c3283007e714466f51f8
SHA1:	e70dfeeea1cdfeae4da1e97d602867436062550d
SHA256:	e6e0f35cd360401b1973626cb35b635e86bd272b115852f07e434ac3fea0977a
SHA512:	950f5c81675af1deb78c7bdff6228d99036e14872e352176094967e721413ee50fcde9e4acd0843890b3152602830ba7f1bd5ebe81587c1391e8dfde0581f279
SSDEEP:	12288:yJB+nneDgkXFEIORLj5ZNS6HvkGRFKU84BmnYkVs:WAoR25Rv5Z4ivkwM0mYkVs
TLSH:	1EA4F19E77A3E0B3D162183541E89BB5466E7E700F20A4EF57601FB52F36AC28532E53
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...t.@g............................pX............@.......................................@.................................T...<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x415870
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6740AA74 [Fri Nov 22 15:59:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	887797384d81c493a9d8ee55dad3b2e1

Entrypoint Preview

Instruction
call 00007FE1E8C13ADAh
jmp 00007FE1E8C1393Dh
mov ecx, dword ptr [0042B5F0h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FE1E8C13AD6h
test esi, ecx
jne 00007FE1E8C13AF8h
call 00007FE1E8C13B01h
mov ecx, eax
cmp ecx, edi
jne 00007FE1E8C13AD9h
mov ecx, BB40E64Fh
jmp 00007FE1E8C13AE0h
test esi, ecx
jne 00007FE1E8C13ADCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0042B5F0h], ecx
not ecx
pop edi
mov dword ptr [0042B5ECh], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
and dword ptr [ebp-0Ch], 00000000h
lea eax, dword ptr [ebp-0Ch]
and dword ptr [ebp-08h], 00000000h
push eax
call dword ptr [0042946Ch]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00429430h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042942Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [004294A8h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0042C970h
call dword ptr [00429488h]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov al, 01h
ret
push 00030000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29254	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2f000	0x1400	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x237c0	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x293c8	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2169a	0x21800	02aff72e65eaf052f891170e28598361	False	0.550606343283582	data	6.737058354414408	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x7264	0x7400	91e5fdecc510d2c4e72b1b50db3c2501	False	0.40641837284482757	data	4.769873714467996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x2068	0x1000	f9b2b4b1f63578440eedd0ace5ac94f1	False	0.484375	OpenPGP Secret Key	5.090094544660231	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x2e000	0x8	0x200	160c8b290b62e5e566d05ce3bec76423	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2f000	0x1400	0x1400	29fb367912ce622b91120c5cffd84495	False	0.81953125	data	6.557860970753822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.coS	0x31000	0x4d000	0x4d000	c440ae33a4d5782675832d0fc99971be	False	1.0003360896915585	data	7.999414762496168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile

GDI32.dll

CreateEllipticRgn

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T14:27:47.794213+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	172.67.155.47	443	TCP
2024-11-23T14:27:48.490580+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49704	172.67.155.47	443	TCP
2024-11-23T14:27:48.490580+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49704	172.67.155.47	443	TCP
2024-11-23T14:27:49.770829+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	172.67.155.47	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:27:46.470099926 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:46.470143080 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:46.470285892 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:46.471414089 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:46.471436024 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:47.794097900 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:47.794213057 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:47.797456026 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:47.797468901 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:47.797707081 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:47.838097095 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:47.838855028 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:47.838874102 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:47.838989973 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:48.490570068 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:48.490655899 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:48.490704060 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:48.492496014 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:48.492513895 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:48.492542982 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:48.492552042 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:48.548835039 CET	49705	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:48.548882008 CET	443	49705	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:48.548943996 CET	49705	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:48.549309015 CET	49705	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:48.549328089 CET	443	49705	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:49.770704031 CET	443	49705	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:49.770828962 CET	49705	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:49.772712946 CET	49705	443	192.168.2.5	172.67.155.47
Nov 23, 2024 14:27:49.772769928 CET	443	49705	172.67.155.47	192.168.2.5
Nov 23, 2024 14:27:49.772845030 CET	49705	443	192.168.2.5	172.67.155.47

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:27:45.786545038 CET	62081	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:27:46.106456041 CET	53	62081	1.1.1.1	192.168.2.5
Nov 23, 2024 14:27:46.118634939 CET	54325	53	192.168.2.5	1.1.1.1
Nov 23, 2024 14:27:46.462272882 CET	53	54325	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 14:27:45.786545038 CET	192.168.2.5	1.1.1.1	0xa9eb	Standard query (0)	fumblingactor.cyou	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:27:46.118634939 CET	192.168.2.5	1.1.1.1	0x9ed9	Standard query (0)	frogs-severz.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 14:27:46.106456041 CET	1.1.1.1	192.168.2.5	0xa9eb	Name error (3)	fumblingactor.cyou	none	none	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:27:46.462272882 CET	1.1.1.1	192.168.2.5	0x9ed9	No error (0)	frogs-severz.sbs		172.67.155.47	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:27:46.462272882 CET	1.1.1.1	192.168.2.5	0x9ed9	No error (0)	frogs-severz.sbs		104.21.88.250	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

frogs-severz.sbs

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.155.47	443	5660	C:\Users\user\Desktop\xLauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 13:27:47 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: frogs-severz.sbs
2024-11-23 13:27:47 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 13:27:48 UTC	1005	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 13:27:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h67dedtnu89gq9g3fjmim45ec3; expires=Wed, 19-Mar-2025 07:14:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F9aQO1yqpagW0UDVj0z%2BMEyWk7SA3756LKEp6OPotfwtEI8o88RxQ4Q9Pf7d7X0hmkKCalgVNgKZlSAar1ir4M5kvQMOW8uKkwAuftlWQXfR4D49I3PMUgMRSpD4TJSzV5jK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e717fad7e9042e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1902&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1517671&cwnd=252&unsent_bytes=0&cid=7b9443a56da03884&ts=709&x=0"
2024-11-23 13:27:48 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-23 13:27:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:27:43
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\xLauncher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xLauncher.exe"
Imagebase:	0x5d0000
File size:	493'568 bytes
MD5 hash:	CEACA4A19229C3283007E714466F51F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2049629011.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:27:44
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:27:44
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\xLauncher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xLauncher.exe"
Imagebase:	0x5d0000
File size:	493'568 bytes
MD5 hash:	CEACA4A19229C3283007E714466F51F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.5%
Total number of Nodes:	1900
Total number of Limit Nodes:	22

Executed Functions

Function 005FB18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,005FB0FF,005FB0EF), ref: 005FB323
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 005FB336
Wow64GetThreadContext.KERNEL32(00000094,00000000), ref: 005FB354
ReadProcessMemory.KERNELBASE(0000008C,?,005FB143,00000004,00000000), ref: 005FB378
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 005FB3A3
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 005FB3FB
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 005FB446
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 005FB484
Wow64SetThreadContext.KERNEL32(00000094,026E0000), ref: 005FB4C0
ResumeThread.KERNELBASE(00000094), ref: 005FB4CF

Strings

VirtualAllocEx, xrefs: 005FB28B
TerminateProcess, xrefs: 005FB3B2
GetP, xrefs: 005FB20D
ress, xrefs: 005FB215
ResumeThread, xrefs: 005FB2C7
GetThreadContext, xrefs: 005FB265
ReadProcessMemory, xrefs: 005FB278
WriteProcessMemory, xrefs: 005FB29E
SetThreadContext, xrefs: 005FB2B1
aryA, xrefs: 005FB1D1
VirtualAlloc, xrefs: 005FB252
Load, xrefs: 005FB1C9
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 005FB322
CreateProcessW, xrefs: 005FB23F

Memory Dump Source

Source File: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 9f5dc0c075964b9ddd367795fada2ef7c22129296bbb31f9c83e155664a58fba
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 0BB1067664024AEFDB60CF68CC80BEA77A5FF88714F158524EA08AB341C774FA41CB94

Function 005DCD10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd4e2fb6295a3a0d0d41d980f6ebd4a0c8ff70dda52f7e3e401d8d6beec9c5a
Instruction ID: ed5207c11397f82f8f9bed5d70dd52f6f75462a698b2f417a43e34a18a1ac9ff
Opcode Fuzzy Hash: efd4e2fb6295a3a0d0d41d980f6ebd4a0c8ff70dda52f7e3e401d8d6beec9c5a
Instruction Fuzzy Hash: 520119749042098FCB14DF69C885AD9FBF0FB58710F0084A9A88897340EB78AA84CF85

Function 005E9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,3937B924,?,005E9EE2,?,?,00000000), ref: 005E9E94

Strings

api-ms-, xrefs: 005E9E2A
ext-ms-, xrefs: 005E9E3E

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 2756dce777b8b029ffdfa24e6bc82efec147e9ade835c4abf201e4abaf49e0f4
Instruction ID: cd89f6ae2a5de22670eba049624d3ba9fca4518b41e8b759029c13a93f82d93c
Opcode Fuzzy Hash: 2756dce777b8b029ffdfa24e6bc82efec147e9ade835c4abf201e4abaf49e0f4
Instruction Fuzzy Hash: 3A212B31A00292ABDB25CB26DC44B6A3F5CBFA1760F250120EE85E7291D734ED05D6E0

Function 005DBEB0 Relevance: 9.2, APIs: 6, Instructions: 173
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 005DBF10

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4a279122699fd7aee5755513712cd3812636a18abbc2d4f6cfd86047d2d9bb45
Instruction ID: e2d00a8969be4baac6d00a70d635760ab5ba8fc068baee88c36584f52d2f2aef
Opcode Fuzzy Hash: 4a279122699fd7aee5755513712cd3812636a18abbc2d4f6cfd86047d2d9bb45
Instruction Fuzzy Hash: FC7112B490420ADFDB14DFACD5586AEBFF0BB48700F20891BE846AB350D7389945DF92

Function 005E6CE6 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00016E00,00000000,?,?), ref: 005E6D2F
GetLastError.KERNEL32(?,00000000,00000000,?,005E3BEA), ref: 005E6D3B
__dosmaperr.LIBCMT ref: 005E6D42

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 84bb18ac9a17e571a0ba047e4dd73657477ae74c5cda2eeeb8ef93c51a14c596
Instruction ID: f83dc27f109a574048e15b5957c2d6471d3037ea911160ed07048ba1acb8982b
Opcode Fuzzy Hash: 84bb18ac9a17e571a0ba047e4dd73657477ae74c5cda2eeeb8ef93c51a14c596
Instruction Fuzzy Hash: E601807260029AABDF199FA2DD09AAF3F65FFA03E5F100058F84196190DB70DE10DB90

Function 005E6FEF Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,005E70B1,005E83A0,005E83A0,?,00000002,3937B924,005E83A0,00000002), ref: 005E7000
TerminateProcess.KERNEL32(00000000,?,005E70B1,005E83A0,005E83A0,?,00000002,3937B924,005E83A0,00000002), ref: 005E7007
ExitProcess.KERNEL32 ref: 005E7019

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3766d271bb0fa81e9c1eb043d2e62de1318a682fadba86b4ca68d5d160b06be2
Instruction ID: b92e9d649ed419c4c361272a9e9bad969df11212524d592735577ad31cd9b9ed
Opcode Fuzzy Hash: 3766d271bb0fa81e9c1eb043d2e62de1318a682fadba86b4ca68d5d160b06be2
Instruction Fuzzy Hash: 39D09E31004549BFCF153F61EC4DA9D3F2ABF64391B044410B95986175DB39DD5AEB90

Function 005E41C6 Relevance: 3.1, APIs: 2, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005E49EA
___raise_securityfailure.LIBCMT ref: 005E4AD2

Part of subcall function 005E59FC: RaiseException.KERNEL32(E06D7363,00000001,00000003,005E49DE,3937B924,?,?,?,005E49DE,?,005F9B2C), ref: 005E5A5C

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ExceptionFeaturePresentProcessorRaise___raise_securityfailure
String ID:
API String ID: 3749517692-0
Opcode ID: d2f5f77e59fd9d025d58292719f2c07fea41ef8758a57ad8ab2305067c9619cf
Instruction ID: aad4764500013aed4520ac4df7b23f21f8499d368b06208121f20097c292b134
Opcode Fuzzy Hash: d2f5f77e59fd9d025d58292719f2c07fea41ef8758a57ad8ab2305067c9619cf
Instruction Fuzzy Hash: 8A3170B450030D9FDB08EF26FE4A6757FA8BB68314F10413AE908CA2A1E778A54CDF44

Function 005EA732 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,005EA621,005FA088,0000000C), ref: 005EA77E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,005EA621,005FA088,0000000C), ref: 005EA790

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: c872b383b35801cf58896a55631327086aef98a41321b3879f8ce6be423fc373
Instruction ID: 4fc7347a58030d6089091db77a96513d8e2a61a4577e4e5ea284c3a1a302f865
Opcode Fuzzy Hash: c872b383b35801cf58896a55631327086aef98a41321b3879f8ce6be423fc373
Instruction Fuzzy Hash: 651163B15047D14ACB38CA3F8C886226EA5FB56331B240759E5E6C65F2D634E88AE643

Function 005E6E00 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(005F9D20,0000000C), ref: 005E6E13
ExitThread.KERNEL32 ref: 005E6E1A

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 4fd95ff846a690b326ff33ce4d5b066a2d8d480387f8fe50cac405b1b850226f
Instruction ID: 9006bbd901a3aa0e24fd641f36d53f15fae80a4cd5fc3ade8e430d3fd82eb58d
Opcode Fuzzy Hash: 4fd95ff846a690b326ff33ce4d5b066a2d8d480387f8fe50cac405b1b850226f
Instruction Fuzzy Hash: 40F0C271A00646AFDB09AFB1C84EB3E3F75FF90740F204549F045972A2DB345901DB91

Function 005EB0CB Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,005EBC39,?,00000000,?,?,005EBB55,?,00000007,?,?,005EC16E,?,?), ref: 005EB0E1
GetLastError.KERNEL32(?,?,005EBC39,?,00000000,?,?,005EBB55,?,00000007,?,?,005EC16E,?,?), ref: 005EB0EC

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 6663d5ce6ce8b48559052c0172da74957e96b17b8bbf7dfeaa1256816860bb24
Instruction ID: 67d98d01d91de41e3f5188f0bec914d9dd2a674577c5edced60370b2bdaa715d
Opcode Fuzzy Hash: 6663d5ce6ce8b48559052c0172da74957e96b17b8bbf7dfeaa1256816860bb24
Instruction Fuzzy Hash: 09E0867150064867DB192FA5FD0DB6A3E5CFBD4352F000020F648C6461D7348940D784

Function 005EA00A Relevance: 2.6, APIs: 2, Instructions: 71
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,005E6E25,005F9D20,0000000C), ref: 005EA00E
SetLastError.KERNEL32(00000000), ref: 005EA0B0

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 10901f6edcb0e29c954f5bd7b8522cab9f81f618c0080a852728882254d7cf05
Instruction ID: b9bcf9f89c8161414fe788551789030b0b2d45567bff1a5f94d685b5897fb62b
Opcode Fuzzy Hash: 10901f6edcb0e29c954f5bd7b8522cab9f81f618c0080a852728882254d7cf05
Instruction Fuzzy Hash: FF11C631604297AEA6293F77AC8EE373E8CBB907A57100524F594C20A6FF54AC099192

Function 005E3B60 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce3bb8a087aab0f64e4e7c138e1fe40c901460bb408a629839ec54d796d4549
Instruction ID: cc33719a336e068259c0bb05eb118a93b2237a8295c9f1921936965d05369add
Opcode Fuzzy Hash: 9ce3bb8a087aab0f64e4e7c138e1fe40c901460bb408a629839ec54d796d4549
Instruction Fuzzy Hash: F731ECB4D042499BCB08DFAAC5986ADBFF0FF48300F10886AE49AAB350D7359E04DF55

Function 005E9E9E Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb5083cbde93d6b3e95136ff1d198cd42e7bc34705a1656c515e59c10644626
Instruction ID: 96c65578c9e8b6b0523f1019b3ce529d177ccb8d5f254c514643743284eb24fd
Opcode Fuzzy Hash: 5bb5083cbde93d6b3e95136ff1d198cd42e7bc34705a1656c515e59c10644626
Instruction Fuzzy Hash: 03012D336042559F9F0ACF6BEC44A2A7B69FBD03607284124F654CB155FB34D808D7D0

Function 005DCD90 Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEllipticRgn.GDI32 ref: 005DCDF9

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: CreateElliptic
String ID:
API String ID: 1611293138-0
Opcode ID: 865fc532ebadc7229e688af879b10611ee0cef5640e36600e9868c2005876260
Instruction ID: 06627d44c3de78883601b37416ef892aaf991b89e61cbc56278eda4a98f9df7e
Opcode Fuzzy Hash: 865fc532ebadc7229e688af879b10611ee0cef5640e36600e9868c2005876260
Instruction Fuzzy Hash: 3611D6B4D002099BDB04EFA9C4597AEBBF5FF88304F40881AD855A7350EB786608CB91

Function 005EB807 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,005EA057,00000001,00000364,?,00000006,000000FF,?,005E6E25,005F9D20,0000000C), ref: 005EB848

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2a5f8c53f8e3162f3800fffac81b699d0e8556e9480603454df52ad02310d717
Instruction ID: 3fbb87e7fb3b8812a595b786098dea4f67b4cd24bea89182978d33b1f6c6e46c
Opcode Fuzzy Hash: 2a5f8c53f8e3162f3800fffac81b699d0e8556e9480603454df52ad02310d717
Instruction Fuzzy Hash: 39F0B43150A5E566BF292B238C09B6B3F4CBB80762B185121F8D8D6695CB30DD05C6E0

Function 005EBC45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005E41E0,?,?,005E1007,?,005DFAB5), ref: 005EBC77

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d75fd4f23f2b76108af475b03abeeecccec9ba54c2f76d00e6efce5f2bc53a3
Instruction ID: 39f4bac0f915641b78d51c1ac26c0c0d995c64650b40cb5e6846ca20e533647b
Opcode Fuzzy Hash: 0d75fd4f23f2b76108af475b03abeeecccec9ba54c2f76d00e6efce5f2bc53a3
Instruction Fuzzy Hash: 0DE0E5355096D757FA292623ED09BAF3E48BB817A2F241161BCDDD6090CF20DD01C1E0

Non-executed Functions

Function 005E4CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005E4CB6
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 005E4CC4
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005E4CD5
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005E4CE6
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005E4CF7
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005E4D08
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 005E4D19
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 005E4D2A
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 005E4D3B
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 005E4D4C
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 005E4D5D
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 005E4D6E
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 005E4D7F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 005E4D90
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 005E4DA1
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 005E4DB2
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 005E4DC3
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 005E4DD4
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 005E4DE5
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 005E4DF6
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 005E4E07
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 005E4E18
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 005E4E29
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 005E4E3A
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 005E4E4B
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 005E4E5C
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005E4E6D
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 005E4E7E
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005E4E8F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005E4EA0
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 005E4EB1
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 005E4EC2
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 005E4ED3
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 005E4EE4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 005E4EF5
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 005E4F06
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 005E4F17
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 005E4F28
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 005E4F39
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 005E4F4A
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 005E4F5B

Strings

GetFileInformationByHandleEx, xrefs: 005E4E2F
GetCurrentPackageId, xrefs: 005E4E0D
SetThreadpoolTimer, xrefs: 005E4D63
InitializeConditionVariable, xrefs: 005E4E62
CreateThreadpoolWait, xrefs: 005E4D96
CreateSemaphoreW, xrefs: 005E4D30
GetLocaleInfoEx, xrefs: 005E4F3F
WaitForThreadpoolTimerCallbacks, xrefs: 005E4D74
SleepConditionVariableCS, xrefs: 005E4E95
CloseThreadpoolWait, xrefs: 005E4DB8
CompareStringEx, xrefs: 005E4F2E
FreeLibraryWhenCallbackReturns, xrefs: 005E4DDA
CreateSemaphoreExW, xrefs: 005E4D41
CloseThreadpoolTimer, xrefs: 005E4D85
ReleaseSRWLockExclusive, xrefs: 005E4ED9
FlushProcessWriteBuffers, xrefs: 005E4DC9
kernel32.dll, xrefs: 005E4CB1
GetTickCount64, xrefs: 005E4E1E
CreateSymbolicLinkW, xrefs: 005E4E01
SubmitThreadpoolWork, xrefs: 005E4F0C
FlsGetValue, xrefs: 005E4CDB
FlsFree, xrefs: 005E4CCA
FlsSetValue, xrefs: 005E4CEC
GetCurrentProcessorNumber, xrefs: 005E4DEB
TryAcquireSRWLockExclusive, xrefs: 005E4EC8
WakeConditionVariable, xrefs: 005E4E73
InitOnceExecuteOnce, xrefs: 005E4D0E
WakeAllConditionVariable, xrefs: 005E4E84
SetThreadpoolWait, xrefs: 005E4DA7
CreateThreadpoolTimer, xrefs: 005E4D52
FlsAlloc, xrefs: 005E4CBE
CreateEventExW, xrefs: 005E4D1F
InitializeSRWLock, xrefs: 005E4EA6
LCMapStringEx, xrefs: 005E4F50
CreateThreadpoolWork, xrefs: 005E4EFB
GetSystemTimePreciseAsFileTime, xrefs: 005E4E51
InitializeCriticalSectionEx, xrefs: 005E4CFD
SetFileInformationByHandle, xrefs: 005E4E40
CloseThreadpoolWork, xrefs: 005E4F1D
AcquireSRWLockExclusive, xrefs: 005E4EB7
SleepConditionVariableSRW, xrefs: 005E4EEA

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 3cd2b584b638be04b71d3cf6418bafbc16b5c8b3849d2435e6fe8724a9a4fa71
Instruction ID: 07892918c445267f27fc8ea8e7932d6919d9462ee164696842a42b8b87edcb0e
Opcode Fuzzy Hash: 3cd2b584b638be04b71d3cf6418bafbc16b5c8b3849d2435e6fe8724a9a4fa71
Instruction Fuzzy Hash: 7D610371992758ABCB046FF4AE0D9F63FE8BB397413004426B241D3265DBFC6149EB64

Function 005DCE70 Relevance: 8.0, APIs: 5, Instructions: 518threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005DCF90
std::_Throw_Cpp_error.LIBCPMT ref: 005DD216

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: Cpp_errorCurrentThreadThrow_std::_
String ID:
API String ID: 350343453-0
Opcode ID: 996d5e336d80f315bb647c598c1f4716f95311a8393190670d65ce26e0859b6a
Instruction ID: c20750bc256b204627413749c47f10ccc13e2b43f55378edc3f7d12f13ef3fbf
Opcode Fuzzy Hash: 996d5e336d80f315bb647c598c1f4716f95311a8393190670d65ce26e0859b6a
Instruction Fuzzy Hash: 0CF10672E505114FEF008A7CC8A83DF2FE69B66330F2A172ADAB45B7D2D62744099F50

Function 005EC7DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005EC8CB

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0282c7ed31f2b731c8646461a9b77d0fbf6a47945d1d848de0a953bd78a0f723
Instruction ID: ea48f4747f43b1ba40750ff82ea963d96b812b9adef5881638cb681e44094696
Opcode Fuzzy Hash: 0282c7ed31f2b731c8646461a9b77d0fbf6a47945d1d848de0a953bd78a0f723
Instruction Fuzzy Hash: CA71D37180419D5EDF28EF2A9C8DAAEBFB9FB45300F1441D9E489A3251DB309E869F50

Function 005E5444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005E5450
IsDebuggerPresent.KERNEL32 ref: 005E551C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005E553C
UnhandledExceptionFilter.KERNEL32(?), ref: 005E5546

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3073c3d797339e26ab852ecfa2b52c304fe62f3362a61d8dbd13cfc2d015cea3
Instruction ID: 522423b534d33a7156ec6e1da9a3d708adca25b1776332b6a8873a07e2876fe1
Opcode Fuzzy Hash: 3073c3d797339e26ab852ecfa2b52c304fe62f3362a61d8dbd13cfc2d015cea3
Instruction Fuzzy Hash: DC312775D053199BDF10EFA5D989BCDBBB8BF18304F1040AAE44CAB250EB749A89CF04

Function 005E7DCA Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 005E7EC2
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 005E7ECC
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 005E7ED9

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: db16ea0cc50b53039604e8dc5b8e17356c1e14e651f43f8d8edbd603abcbb60f
Instruction ID: 4be2029ec98b943ffd63eb5d3d13be819337769be955bd26080f7eab7df3c31e
Opcode Fuzzy Hash: db16ea0cc50b53039604e8dc5b8e17356c1e14e651f43f8d8edbd603abcbb60f
Instruction Fuzzy Hash: C531D27490122D9BCB25DF25DC88B9DBBB8BF58350F5041EAE41CA7250EB749F858F44

Function 005E15A0 Relevance: 4.4, APIs: 2, Instructions: 1444COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005E2437

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ___std_exception_destroy
String ID:
API String ID: 4194217158-0
Opcode ID: e87840dd65d736736c43169d865430846ad66b55ac5af6cf002f9170d4f6edfb
Instruction ID: c3994758d76c1c5d6869c148307a8a172271f9f4602888e907a8659fa5a924f6
Opcode Fuzzy Hash: e87840dd65d736736c43169d865430846ad66b55ac5af6cf002f9170d4f6edfb
Instruction Fuzzy Hash: E8A26966A555C44FEB024AB884B93DF6FE64B6B330F6A2755C6F06F2D3D50B000B9B60

Function 005DD7F0 Relevance: 2.6, Strings: 1, Instructions: 1327COMMONLIBRARYCODE

Download Yara Rule

Strings

-g}5, xrefs: 005DD8D2

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID: -g}5
API String ID: 0-4071012034
Opcode ID: 95500222923b654f2685ad90ba2406ff1b020aebdecf5cd4c9aefd247616847f
Instruction ID: 721c97e744b967a91125c68761a462e0f316cdba8cd96c0d20ab706bbefe7ba8
Opcode Fuzzy Hash: 95500222923b654f2685ad90ba2406ff1b020aebdecf5cd4c9aefd247616847f
Instruction Fuzzy Hash: 6C929AA6A556C45FEF024AB8D4A93DF6FF24B6B331F5E2B5686E01F2D3C507004A9B10

Function 005F1FD2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005F1F2D,?,?,00000008,?,?,005F1AFF,00000000), ref: 005F21FF

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2ffad9b7b649c3b00e3456fbe7859c522bd105c4544020f3df3d6a9f418f97b8
Instruction ID: 3399d4b3af96b8ec8fb08e9e8321ed5ce2addc42cf5fe18692f3f9fd966554e2
Opcode Fuzzy Hash: 2ffad9b7b649c3b00e3456fbe7859c522bd105c4544020f3df3d6a9f418f97b8
Instruction Fuzzy Hash: C9B18F76110608DFD719CF28C48AB657FE0FF45364F258658EA99CF2A1C739E992CB40

Function 005EC72A Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005EB807: RtlAllocateHeap.NTDLL(00000008,?,?,?,005EA057,00000001,00000364,?,00000006,000000FF,?,005E6E25,005F9D20,0000000C), ref: 005EB848

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005EC8CB
FindNextFileW.KERNEL32(00000000,?), ref: 005EC9BF
FindClose.KERNEL32(00000000), ref: 005EC9FE
FindClose.KERNEL32(00000000), ref: 005ECA31

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: Find$CloseFile$AllocateFirstHeapNext
String ID:
API String ID: 4087847297-0
Opcode ID: 38c986e4cf9c8bbc2b52335080caf8fd288c424df923b2342ed97b50d31676d9
Instruction ID: 41dc99acc2f44164445858c42a9cadb995ffee8b7223f78e6067161db9767ff6
Opcode Fuzzy Hash: 38c986e4cf9c8bbc2b52335080caf8fd288c424df923b2342ed97b50d31676d9
Instruction Fuzzy Hash: D55167759042896FDB2C9F2A9C889BE7FA9FF85314F1441ADF48993201EB30CD429F60

Function 005E5200 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005E5216

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b8dd40d50b68aca0fd42603ee4b2d99ff44737ba2d25f9d50c14e8feadfafcaf
Instruction ID: 0477896895c8b52f74f94d68c68728005ae4d091127cf3786b0d709b55ebf286
Opcode Fuzzy Hash: b8dd40d50b68aca0fd42603ee4b2d99ff44737ba2d25f9d50c14e8feadfafcaf
Instruction Fuzzy Hash: 305180B1901649CFEB18CF56D9857AEBFF0FB58714F24882AD451EB250E3B8A904DF90

Function 005DF4D0 Relevance: 1.6, Strings: 1, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

Strings

k#fz, xrefs: 005DF718

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID: k#fz
API String ID: 0-1948189604
Opcode ID: 220d59771bed9f372e7c05deed47a1c8451b4d9a18b81a28f7d36e253df43c08
Instruction ID: 5640ce0b8fe28f4d44b5797769227908a9557a276fb0aa0b2f8e4fe436c722a2
Opcode Fuzzy Hash: 220d59771bed9f372e7c05deed47a1c8451b4d9a18b81a28f7d36e253df43c08
Instruction Fuzzy Hash: 52D13272E115188FDB50CEBDC94069DBBF2BB48720F2A8729E875FB3D4D63499418B80

Function 005E5438 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00015560), ref: 005E543D

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ca6ea9ccc6b39fa2baf35aaedd4d30419a0359a24709b510831151b349efdcbb
Instruction ID: dda9362a14406f2cb3005851fff4d1b7910b8ce46d95a8f8d1fd9a7c2dea9fb6
Opcode Fuzzy Hash: ca6ea9ccc6b39fa2baf35aaedd4d30419a0359a24709b510831151b349efdcbb
Instruction Fuzzy Hash:

Function 005E9F90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 005E9F90

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 19dbb1be6eea0e3654d40e50b447f2c51c5296abcc2747451014f31e1c21465e
Instruction ID: 601890043b0831b5d0ae2d82d40d17cc5847fe5b7caf9f2f3014ee7c071fecfd
Opcode Fuzzy Hash: 19dbb1be6eea0e3654d40e50b447f2c51c5296abcc2747451014f31e1c21465e
Instruction Fuzzy Hash: 43A011B0A022008B8B008F32AB0832E3EA8BA2028230080B8A000C0220EA388008EB00

Function 005D86C0 Relevance: .7, Instructions: 725COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f4c5f2b609285bdca343e303d80839991bd1969403640d3849d7eb7fee2df8
Instruction ID: e9422e1956b3225609b5d53506d2f61837d9a8bbace3e09976426b8d00934e32
Opcode Fuzzy Hash: 58f4c5f2b609285bdca343e303d80839991bd1969403640d3849d7eb7fee2df8
Instruction Fuzzy Hash: 3032D376E442844FEB018ABCC4A93DF6FF25B6B334F291716C5A46F3D6D917040A8B50

Function 005E34D0 Relevance: .6, Instructions: 607COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7932b130240bf6e2c4b7a936e797647f393e002419e5da1a79ef5b8f35db6a9e
Instruction ID: 1713a2393a7632657121ddc9aa60993fe1f0cf85e42a33615cbc9a1ff89f2267
Opcode Fuzzy Hash: 7932b130240bf6e2c4b7a936e797647f393e002419e5da1a79ef5b8f35db6a9e
Instruction Fuzzy Hash: AA02A077A916904FEF01497CC8A83DB1FE747A7735E2A2726CAB05B3E2C55B010E9B50

Function 005DF980 Relevance: .5, Instructions: 456COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7a311ce803c18cb75810f9d293b854db9d2fc9dbe80eefba6885e79c4cac14
Instruction ID: 4f970e306bbefdb9f3e12e37353418184efef89dfdca2fac0ddefffa38aa5461
Opcode Fuzzy Hash: 4c7a311ce803c18cb75810f9d293b854db9d2fc9dbe80eefba6885e79c4cac14
Instruction Fuzzy Hash: 68E1F772A505504FDF008A7CC4A93DF2FE2976A334F2A2727D9B4AF7D2D65B08099B50

Function 005DBD50 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9483dfc46f94d347a9b0882e7e602225980565ff39f1f4ad4de2199dc9f85b8e
Instruction ID: f9626c8045f7bc4912312128dacab9589914035be8f9351069228a263a278cd8
Opcode Fuzzy Hash: 9483dfc46f94d347a9b0882e7e602225980565ff39f1f4ad4de2199dc9f85b8e
Instruction Fuzzy Hash: 9AD06C3A655A59AFC210CF49E840D41F7B8FB99670B158066EA0893B20C335F811CAE0

Function 005E90D3 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 005E91F2
___TypeMatch.LIBVCRUNTIME ref: 005E9300
CatchIt.LIBVCRUNTIME ref: 005E9351
_UnwindNestedFrames.LIBCMT ref: 005E9452
CallUnexpected.LIBVCRUNTIME ref: 005E946D

Strings

csm, xrefs: 005E9229
@]^, xrefs: 005E926D, 005E9275
csm, xrefs: 005E917D
csm, xrefs: 005E9110
81_, xrefs: 005E91E9

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: 81_$@]^$csm$csm$csm
API String ID: 4119006552-146116256
Opcode ID: fef1fb88cfc7b08526f9c49e04a727d6ae451e383b8ef2295f338d0e77294284
Instruction ID: 03219d0a21a2798768fb70d16c68df27216438f2269fdfe276f57faccf725ad7
Opcode Fuzzy Hash: fef1fb88cfc7b08526f9c49e04a727d6ae451e383b8ef2295f338d0e77294284
Instruction Fuzzy Hash: 7BB1AB75C0028AEFCF1CDFA6C8849AEBFB5FF48310B14445AE8856B242D731DA52CB91

Function 005E6130 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005E6167
___except_validate_context_record.LIBVCRUNTIME ref: 005E616F
_ValidateLocalCookies.LIBCMT ref: 005E61F8
__IsNonwritableInCurrentImage.LIBCMT ref: 005E6223
_ValidateLocalCookies.LIBCMT ref: 005E6278

Strings

^^, xrefs: 005E6215, 005E621E, 005E622F
csm, xrefs: 005E620D

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: ^^$csm
API String ID: 1170836740-3765710807
Opcode ID: 7f8fdb603672997dc7c0eb0359e9498ed5286d2102324b92d509668976045d58
Instruction ID: b943d13b7199b127325f8206969e1ebd94d3ce2875227de2801e21fafd91e68e
Opcode Fuzzy Hash: 7f8fdb603672997dc7c0eb0359e9498ed5286d2102324b92d509668976045d58
Instruction Fuzzy Hash: EE417934A00299EBCF18DF6ACC48AAEBFB1FF54394F048055E9559B392D735EA04CB80

Function 005F0308 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(02A7E460,02A7E460,00000000,7FFFFFFF,?,005F02F3,02A7E460,02A7E460,00000000,02A7E460,?,?,?,?,02A7E460,00000000), ref: 005F03AE
__alloca_probe_16.LIBCMT ref: 005F0469
__alloca_probe_16.LIBCMT ref: 005F04F8
__freea.LIBCMT ref: 005F0543
__freea.LIBCMT ref: 005F0549
__freea.LIBCMT ref: 005F057F
__freea.LIBCMT ref: 005F0585
__freea.LIBCMT ref: 005F0595

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 17753787e14291bce55f8e6fe34debf552f986ebfad3ce4bbb28501199999437
Instruction ID: c923966aafcf2f8464b467da3423063ae3e224ddb11d2bb8d0abf4763d8651cb
Opcode Fuzzy Hash: 17753787e14291bce55f8e6fe34debf552f986ebfad3ce4bbb28501199999437
Instruction Fuzzy Hash: D171D47290024E9BDF219B548C45BBF7FAABF89314F2C2415EA44A72C3E779DD048B60

Function 005E883A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005E8831,005E5F0D,005E55A4), ref: 005E8848
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005E8856
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005E886F
SetLastError.KERNEL32(00000000,005E8831,005E5F0D,005E55A4), ref: 005E88C1

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9efa7da14ccbe29c985eaba8e80bc2987891f938887f07a031038f20d1cfbdfa
Instruction ID: 242beae9d08b4d3b1a38baa437a8b90c01fc274a9ebb63b3c693d42a610e7cbc
Opcode Fuzzy Hash: 9efa7da14ccbe29c985eaba8e80bc2987891f938887f07a031038f20d1cfbdfa
Instruction Fuzzy Hash: 9701D83211D6529DFA2C2BB7BC8A93A2F58FBA17B43600B29F858D41E1EF164C05F654

Function 005ECB54 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\xLauncher.exe, xrefs: 005ECB70

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\xLauncher.exe
API String ID: 0-3841312303
Opcode ID: c20607203e82372434a63f50e344ac57c8142ed86bb8ae589e8908b36f949db0
Instruction ID: 0263de70f820ecdb21b6ec67885e870802ef44124254a1aba1768b4c1ddca6e4
Opcode Fuzzy Hash: c20607203e82372434a63f50e344ac57c8142ed86bb8ae589e8908b36f949db0
Instruction Fuzzy Hash: 4321CF71600286AFDB28AF678C86D6B7FACFF803A47104515F8AC97551E730EC429BA0

Function 005E6F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,3937B924,?,?,00000000,005F25EB,000000FF,?,005E7015,00000002,?,005E70B1,005E83A0), ref: 005E6F89
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005E6F9B
FreeLibrary.KERNEL32(00000000,?,?,00000000,005F25EB,000000FF,?,005E7015,00000002,?,005E70B1,005E83A0), ref: 005E6FBD

Strings

mscoree.dll, xrefs: 005E6F82
CorExitProcess, xrefs: 005E6F93

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8a00f8849777a9a100c7e1513e81a26aec35c771b2f796aaba17abece5237637
Instruction ID: 4ad0bdc46718decad514d9b486c959a6047210f7cccd0048ae7a3e9c75a9b1dd
Opcode Fuzzy Hash: 8a00f8849777a9a100c7e1513e81a26aec35c771b2f796aaba17abece5237637
Instruction Fuzzy Hash: FB01D631904A69EFDF158F51DC09FBEBBB8FB14B51F040525F821E22A4DB789904CA94

Function 005EDF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 005EDFA2
__alloca_probe_16.LIBCMT ref: 005EE06B
__freea.LIBCMT ref: 005EE0D2

Part of subcall function 005EBC45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005E41E0,?,?,005E1007,?,005DFAB5), ref: 005EBC77

__freea.LIBCMT ref: 005EE0E5
__freea.LIBCMT ref: 005EE0F2

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 30c863511bb892071adeb1cc1cfef44fa846cd48696db384a42f7109e0dfd5eb
Instruction ID: 713a641a419904b5efa885913cb171859841c5f01463cc17aa54f935e82ad04f
Opcode Fuzzy Hash: 30c863511bb892071adeb1cc1cfef44fa846cd48696db384a42f7109e0dfd5eb
Instruction Fuzzy Hash: B751C672610287AFEF289F62CC4AEBB7EA9FF84710B154429FD88D6151EB71CC50C660

Function 005E94F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,005E93FE,?,?,00000000,00000000,00000000,?), ref: 005E951D
CatchIt.LIBVCRUNTIME ref: 005E9603

Strings

RCC, xrefs: 005E9537
MOC, xrefs: 005E952F

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: eccf291d1bb719618b8f108a6aaacb13ca314f16fbdfac1fc57d1390a16aa6b3
Instruction ID: e1532c549ce7fe47a119788994e22e2a3e9044fec7db3e4d2950279e3cb55517
Opcode Fuzzy Hash: eccf291d1bb719618b8f108a6aaacb13ca314f16fbdfac1fc57d1390a16aa6b3
Instruction Fuzzy Hash: FA419A72900289AFCF2ACF95CC81AEEBFB5FF48304F18809AF945A7221D3359950DB50

Function 005EDC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,005EDCFA,00000000,?,005FCCD0,?,?,?,005EDC31,00000004,InitializeCriticalSectionEx,005F46F8,005F4700), ref: 005EDC6B
GetLastError.KERNEL32(?,005EDCFA,00000000,?,005FCCD0,?,?,?,005EDC31,00000004,InitializeCriticalSectionEx,005F46F8,005F4700,00000000,?,005E971C), ref: 005EDC75
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 005EDC9D

Strings

api-ms-, xrefs: 005EDC82

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 40068f8f2e1717cf1c2b3efc6e07196aabba7158bb074f0095d110ddbe53a63f
Instruction ID: e1bf7a50b24f83c298fa68cb16657c48aa291f1756c39837303053f4ca10c0be
Opcode Fuzzy Hash: 40068f8f2e1717cf1c2b3efc6e07196aabba7158bb074f0095d110ddbe53a63f
Instruction Fuzzy Hash: 30E0D830650206BBFF102F52DC0EB283F64BB20B90F204020F94DE80E0FBAA9C11D955

Function 005EE5E8 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(3937B924,00000000,00000000,?), ref: 005EE64B

Part of subcall function 005ED131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,005E87B1,?,00000000,?), ref: 005ED192

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005EE89D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005EE8E3
GetLastError.KERNEL32 ref: 005EE986

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 6c2584b18804c8d5351036714a6f39061c902c7fa08b068721a7d47aef53f797
Instruction ID: dd5cd624e82457ba194002754347820dd6f8c780f45a4fd8f7a38c030ae7b0b0
Opcode Fuzzy Hash: 6c2584b18804c8d5351036714a6f39061c902c7fa08b068721a7d47aef53f797
Instruction Fuzzy Hash: 74D199B5D002899FCB19CFA9C8859ADBFF5FF48300F28456AE495EB352D630A906CB50

Function 005E8EFC Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 005E8FC3
___AdjustPointer.LIBCMT ref: 005E8FE6
___AdjustPointer.LIBCMT ref: 005E9082

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: caf9ebaaecee113ad366a82dbe21ead562d644a1678266068490a48c04677bee
Instruction ID: 6bea40620f17ea6e4590ea878ebb549d7d1bc570eaba5b680528acee7e146645
Opcode Fuzzy Hash: caf9ebaaecee113ad366a82dbe21ead562d644a1678266068490a48c04677bee
Instruction Fuzzy Hash: CD51E072601682AFDB2DCF16C849B7A7BA5FF40310F54052DE9D99B291EB31EC40CB80

Function 005EC5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 005ED131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,005E87B1,?,00000000,?), ref: 005ED192

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,005EC95E,?,?,?,00000000), ref: 005EC61C
__dosmaperr.LIBCMT ref: 005EC623
GetLastError.KERNEL32(00000000,005EC95E,?,?,00000000,?,?,?,00000000,00000000,?,005EC95E,?,?,?,00000000), ref: 005EC65D
__dosmaperr.LIBCMT ref: 005EC664

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 85ba5d82b154cb3d5b71d5e118d677b39a52638671f95b2d0fa838187a791d0c
Instruction ID: 72a8c5dca5fdffffd7a31d85f3001932d2896951b4b88112e221d5593ebb46ee
Opcode Fuzzy Hash: 85ba5d82b154cb3d5b71d5e118d677b39a52638671f95b2d0fa838187a791d0c
Instruction Fuzzy Hash: FC21F872200296AFDB289F6B8C84D2B7FA9FF853647108819F8E5D7511D730EC02CB90

Function 005ED22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005ED235

Part of subcall function 005ED131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,005E87B1,?,00000000,?), ref: 005ED192

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005ED26D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005ED28D

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: a3957fd01d0e753ef593f9e6d7d640ab2c4e9f8af350fef591a2df8263e1c529
Instruction ID: 9a9b4845f683356916f0d08c39ed4567eb07f548ccd15b38a39a62eddee04bd4
Opcode Fuzzy Hash: a3957fd01d0e753ef593f9e6d7d640ab2c4e9f8af350fef591a2df8263e1c529
Instruction Fuzzy Hash: 191126B690158A7FAB2927735C8DCBF2DBCFEE43957100414FA81D2101FB24DD029570

Function 005F07C0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,005EFF31,00000000,00000001,00000000,?,?,005EE9DA,?,00000000,00000000), ref: 005F07D7
GetLastError.KERNEL32(?,005EFF31,00000000,00000001,00000000,?,?,005EE9DA,?,00000000,00000000,?,?,?,005EE320,00000000), ref: 005F07E3

Part of subcall function 005F0840: CloseHandle.KERNEL32(FFFFFFFE,005F07F3,?,005EFF31,00000000,00000001,00000000,?,?,005EE9DA,?,00000000,00000000,?,?), ref: 005F0850

___initconout.LIBCMT ref: 005F07F3

Part of subcall function 005F0815: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,005F07B1,005EFF1E,?,?,005EE9DA,?,00000000,00000000,?), ref: 005F0828

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,005EFF31,00000000,00000001,00000000,?,?,005EE9DA,?,00000000,00000000,?), ref: 005F0808

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 27a1751eae9dbc313ed2c35ccc326f35c632847886f8bab31903abae15625cce
Instruction ID: a0f891d096b3f762674a0911d2c5a582bb06d78d14a9cdfc12995015aa5ef57f
Opcode Fuzzy Hash: 27a1751eae9dbc313ed2c35ccc326f35c632847886f8bab31903abae15625cce
Instruction Fuzzy Hash: 5DF0F83640051DBBCF222F95DC08AAA3E2AFF683A1F048421FB0885162D676C824EB90

Function 005E8D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 005E8D75

Strings

csm, xrefs: 005E8E08
csm, xrefs: 005E8D97

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: b83871b3b400e1f565c8691c54a571c90e2f0c6be1484aa31680e9cc9aaa81f2
Instruction ID: 42c6c7f46f98d676f8e91daefb3f1781b1a8d137c177ba718b9849af0d504b18
Opcode Fuzzy Hash: b83871b3b400e1f565c8691c54a571c90e2f0c6be1484aa31680e9cc9aaa81f2
Instruction Fuzzy Hash: 9531E476400295EFCF2A9F52CD449BA7F6AFF08314B18465AF8CC59221DB32DD61EB81

Function 005E45A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005E4533: __EH_prolog3_GS.LIBCMT ref: 005E453A

std::domain_error::domain_error.LIBCPMT ref: 005E45EC

Part of subcall function 005E43A4: std::exception::exception.LIBCONCRT ref: 005E43BA

Strings

CD^, xrefs: 005E45B6, 005E45C9
CD^, xrefs: 005E45D7

Memory Dump Source

Source File: 00000000.00000002.2049437730.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2049420233.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049464797.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049480653.00000000005FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049494614.00000000005FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049510062.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049522611.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_xLauncher.jbxd

Similarity

API ID: H_prolog3_std::domain_error::domain_errorstd::exception::exception
String ID: CD^$CD^
API String ID: 2144476180-3205961225
Opcode ID: 717f1ff9f37cd80ddde0da5b763ec47933fe0b8c2ecf1030ca347843eedaff07
Instruction ID: 1ebbb08f61b09bac950d7833f7062f07008ab1752f7898858d2011cb2e7e3ebf
Opcode Fuzzy Hash: 717f1ff9f37cd80ddde0da5b763ec47933fe0b8c2ecf1030ca347843eedaff07
Instruction Fuzzy Hash: 7B014C74D002099BCF18EF6AD8458AEBFF8FF88704B10851EE45597340DB34DA05CB90

Analysis Process: xLauncher.exePID: 5660, Parent PID: 5824COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	57.4%
Total number of Nodes:	54
Total number of Limit Nodes:	3

Executed Functions

Function 00439390 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 646
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00443678,00000000,00000001,00443668,00000000), ref: 004394BA
SysAllocString.OLEAUT32(438D41B2), ref: 00439531
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00439576
SysAllocString.OLEAUT32(37E739D3), ref: 004395D5
SysAllocString.OLEAUT32(37E739D3), ref: 00439689
VariantInit.OLEAUT32(?), ref: 004396F4
VariantClear.OLEAUT32(?), ref: 00439973
SysFreeString.OLEAUT32(?), ref: 00439997
SysFreeString.OLEAUT32(?), ref: 0043999D
SysFreeString.OLEAUT32(?), ref: 004399B4
GetVolumeInformationW.KERNEL32(?,00000000,00000000,7F09795D,00000000,00000000,00000000,00000000), ref: 004399E5

Strings

C, xrefs: 00439469
e.k, xrefs: 004393BC
\, xrefs: 00439474
523, xrefs: 0043958C
tu, xrefs: 004394F0

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: e.k$C$\$tu$523
API String ID: 2573436264-3491669738
Opcode ID: 2113fe1c46924481d627edf74d5309fe22bf739b120302e3aff6f8c30e7400db
Instruction ID: e1573ebc7a5a0e1536596eea73d0663f2d817262ed3498b2cb41fbce2fea040d
Opcode Fuzzy Hash: 2113fe1c46924481d627edf74d5309fe22bf739b120302e3aff6f8c30e7400db
Instruction Fuzzy Hash: 8A224271A083009FD718CF24C845B6BBBE1EF89314F18892DE5969B3D1D7B8D905CB9A

Function 0040CC6D Relevance: 9.3, Strings: 7, Instructions: 579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%, xrefs: 0040D1EF
frogs-severz.sbs, xrefs: 0040D081, 0040D4A1
95CBEFD18DDCE7726CA361616D950AC3, xrefs: 0040CCEF, 0040D11F
e{, xrefs: 0040D378
PQ, xrefs: 0040D43C
~}, xrefs: 0040D399
y5, xrefs: 0040D383

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: 95CBEFD18DDCE7726CA361616D950AC3$PQ$e{$frogs-severz.sbs$y5$~}$%
API String ID: 0-2500350351
Opcode ID: 090ff3817184d656c5b43165c4e7e37c9f2314c6ca28d6b996a56d1635b60e31
Instruction ID: 5a8de95e8c06bd6c07cbf4968ae8d160a9aeefcb6064c3d179da94803ef9cf72
Opcode Fuzzy Hash: 090ff3817184d656c5b43165c4e7e37c9f2314c6ca28d6b996a56d1635b60e31
Instruction Fuzzy Hash: BB12ACB15483C18AD371CF24C494BDFBBE2EB92304F1889ADC4D95B292DB39450ACB96

Function 00408A40 Relevance: 7.7, APIs: 5, Instructions: 171
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408A62
GetCurrentThreadId.KERNEL32 ref: 00408A75
GetCurrentProcessId.KERNEL32 ref: 00408A7D
GetForegroundWindow.USER32 ref: 00408B7F
ExitProcess.KERNEL32 ref: 00408C61

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: ad0912771d57850929ec58b0d39227cc3e0b4855ddb88bcfce1a5f0273a6af48
Instruction ID: 6f87a4886bf6abc34ba852dc79c3fd8c6903462d35a0ec5fb2fb19cc9553fff0
Opcode Fuzzy Hash: ad0912771d57850929ec58b0d39227cc3e0b4855ddb88bcfce1a5f0273a6af48
Instruction Fuzzy Hash: 71516873B403090BC70CAEBADD9A7AAB5D68BC8714F0DC13D6984D73E1EDB89C084684

Function 0043E410 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00440ACB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043E43E

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00440F30 Relevance: 1.4, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5|iL, xrefs: 00441050

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 5|iL
API String ID: 2994545307-1880071150
Opcode ID: ee4077c7691c7a9d9760f3ee9ac3ee1b414a579a8cebcf00ca14fe496833f0fa
Instruction ID: 2d9a10d3518b6347526887b405adf83255ac8af9fc4b632d109705a99c658641
Opcode Fuzzy Hash: ee4077c7691c7a9d9760f3ee9ac3ee1b414a579a8cebcf00ca14fe496833f0fa
Instruction Fuzzy Hash: 504126342493005FF7249B55CCD1B7BB7E0EB46318F28482EE685973A2D2B9ACD18749

Function 00409E30 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

dcji, xrefs: 00409E60

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: dcji
API String ID: 0-1961726176
Opcode ID: d91f7cb0704b5006a2db1cfcc1efbc7c3ef55f9a13ce028042e6c4370d6ded10
Instruction ID: 204c1587005a9916132671a7009940757905733ef6e55b23c709a5ef6d24fd37
Opcode Fuzzy Hash: d91f7cb0704b5006a2db1cfcc1efbc7c3ef55f9a13ce028042e6c4370d6ded10
Instruction Fuzzy Hash: 1B2129316083509BD724CF25C85475BB7A6EFC3308F58952CE4C56B789C730990ACB9A

Function 0040CBF8 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CC0A
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CC22

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 145065683141cf3167c9475bcb822f9121ccc55af7dab7bb781004c755a29937
Instruction ID: c880cdd67f623438b6cd66e68a6017e00abd8d3a53342b4ce76a78301ae82540
Opcode Fuzzy Hash: 145065683141cf3167c9475bcb822f9121ccc55af7dab7bb781004c755a29937
Instruction Fuzzy Hash: 2AE042783D8341B6F6B48B54AC17F5476556746F22F344314B7623D6E5CAE03601450D

Function 0040F04A Relevance: 2.5, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040F04A
CoUninitialize.COMBASE ref: 0040F050

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 8dcc30f96501aecf090ff4362c8611e93c8148ded05e41cc509420b92d328d5a
Instruction ID: 6306f3a4cd9b95ebdec0c21febb67e832960b6ef8d041fe0cf89b1477948b023
Opcode Fuzzy Hash: 8dcc30f96501aecf090ff4362c8611e93c8148ded05e41cc509420b92d328d5a
Instruction Fuzzy Hash: 91C048BC644580ABC3C88F24ED998643720EB8BA07B010479EA47C2762CA246989CA19

Function 0043BD00 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(916B93BC,00000000,?), ref: 0043BD55

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d98b47f134cf57db6db609dd5bf372f6c453c8b7cbd161761e2a2017b8c54b0e
Instruction ID: 42040e2cc6aa9b7ac258e8f81a0661d3c5896cafd756345d56892cf8069c28b5
Opcode Fuzzy Hash: d98b47f134cf57db6db609dd5bf372f6c453c8b7cbd161761e2a2017b8c54b0e
Instruction Fuzzy Hash: 48F027307593408BDB089F34ED6272F7BA5DBD6314F18893DD4C24A6D2C6345826D716

Function 0040CBB0 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CBC3

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3a724ea4c961a328da68f7ed4ff58daf34b3e02347835e836726a23858d31ddb
Instruction ID: ce00b06ee55548168b8c0787cc59377a69a59bff38caca41d9e6c9a3031c1121
Opcode Fuzzy Hash: 3a724ea4c961a328da68f7ed4ff58daf34b3e02347835e836726a23858d31ddb
Instruction Fuzzy Hash: E2D0A7345541446BD690775EDC0BF12362C9B87B27F440235F6A3C66D3DD10A910C56A

Non-executed Functions

Function 00425740 Relevance: 35.0, Strings: 27, Instructions: 1269COMMON

Download Yara Rule

Strings

*(, xrefs: 00425FDB
U3@5, xrefs: 00425BD0
,+, xrefs: 00426B15
c?E1, xrefs: 00425DC7
)C9E, xrefs: 00425BF9
y-e#, xrefs: 004263F1
9K,M, xrefs: 00425BE3
:G"Y, xrefs: 00425C04
Y_, xrefs: 00426412
AC, xrefs: 00425EB2
,_6], xrefs: 00425779
hS5Q, xrefs: 00425761
$', xrefs: 004266C8
$G-E, xrefs: 00425789
Z!\', xrefs: 004263FC
MO, xrefs: 00425ED3
TW, xrefs: 00426854
!W#i, xrefs: 00425C30
8O"A, xrefs: 00425BEE
s3l=, xrefs: 004266A7
`g, xrefs: 004257CD
E7CI, xrefs: 00425BD8
)_~Q, xrefs: 00425C1A
v7d1, xrefs: 0042669C
b?g9, xrefs: 004266B2
ac, xrefs: 004261AA
X5c+, xrefs: 004263DB

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: Y_$!W#i$$'$$G-E$)C9E$)_~Q$*($,+$,_6]$8O"A$9K,M$:G"Y$E7CI$TW$U3@5$X5c+$Z!\'$`g$b?g9$c?E1$hS5Q$s3l=$v7d1$y-e#$AC$MO$ac
API String ID: 0-1414121465
Opcode ID: 7a807fb1dd10f0d72baa1f0606e81b66103267f2d31d318abaea0f4e75b6a7e6
Instruction ID: 90c7b0685a53786c9af241da242e978aa2e938f14bafcff75bf7c61eb51f6037
Opcode Fuzzy Hash: 7a807fb1dd10f0d72baa1f0606e81b66103267f2d31d318abaea0f4e75b6a7e6
Instruction Fuzzy Hash: A8B2A6B52083918BE334CF25D8807AFBBE1FF86344F55892DE5D99B250DB748846CB86

Function 004259E0 Relevance: 31.2, Strings: 24, Instructions: 1160COMMON

Download Yara Rule

Strings

*(, xrefs: 00425FDB
TW, xrefs: 00426854
U3@5, xrefs: 00425BD0
,+, xrefs: 00426B15
c?E1, xrefs: 00425DC7
!W#i, xrefs: 00425C30
)C9E, xrefs: 00425BF9
8O"A, xrefs: 00425BEE
y-e#, xrefs: 004263F1
9K,M, xrefs: 00425BE3
s3l=, xrefs: 004266A7
9})c, xrefs: 004259F9
E7CI, xrefs: 00425BD8
)_~Q, xrefs: 00425C1A
:G"Y, xrefs: 00425C04
Y_, xrefs: 00426412
v7d1, xrefs: 0042669C
AC, xrefs: 00425EB2
b?g9, xrefs: 004266B2
$', xrefs: 004266C8
ac, xrefs: 004261AA
X5c+, xrefs: 004263DB
Z!\', xrefs: 004263FC
MO, xrefs: 00425ED3

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: Y_$!W#i$$'$)C9E$)_~Q$*($,+$8O"A$9K,M$9})c$:G"Y$E7CI$TW$U3@5$X5c+$Z!\'$b?g9$c?E1$s3l=$v7d1$y-e#$AC$MO$ac
API String ID: 0-2757791933
Opcode ID: 4d2eeb46c2115fa2db1afc153202f8ff0a434cbc9b6afb72d4f2fdf823e171ba
Instruction ID: 47215e23adb0cf5868d561f6ad647b6ec23c2605ebcfbf9d20bbfe8a24c7d981
Opcode Fuzzy Hash: 4d2eeb46c2115fa2db1afc153202f8ff0a434cbc9b6afb72d4f2fdf823e171ba
Instruction Fuzzy Hash: 18A2A5B52083918BE334CF25E8807AFBBE1FF85344F51892DE5D99B250DB748846CB96

Function 00425B30 Relevance: 29.9, Strings: 23, Instructions: 1130COMMON

Download Yara Rule

Strings

*(, xrefs: 00425FDB
TW, xrefs: 00426854
U3@5, xrefs: 00425BD0
,+, xrefs: 00426B15
c?E1, xrefs: 00425DC7
!W#i, xrefs: 00425C30
)C9E, xrefs: 00425BF9
8O"A, xrefs: 00425BEE
y-e#, xrefs: 004263F1
9K,M, xrefs: 00425BE3
s3l=, xrefs: 004266A7
E7CI, xrefs: 00425BD8
)_~Q, xrefs: 00425C1A
:G"Y, xrefs: 00425C04
Y_, xrefs: 00426412
v7d1, xrefs: 0042669C
AC, xrefs: 00425EB2
b?g9, xrefs: 004266B2
$', xrefs: 004266C8
ac, xrefs: 004261AA
X5c+, xrefs: 004263DB
Z!\', xrefs: 004263FC
MO, xrefs: 00425ED3

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: Y_$!W#i$$'$)C9E$)_~Q$*($,+$8O"A$9K,M$:G"Y$E7CI$TW$U3@5$X5c+$Z!\'$b?g9$c?E1$s3l=$v7d1$y-e#$AC$MO$ac
API String ID: 0-2703530209
Opcode ID: 999693332ce3cb521be822ece04869f879cbd96f23583627649b22d85a420d73
Instruction ID: cd379224abbc543f3d1972bf7739c2ad6f847806e997ff9a47fe545f594b8fb1
Opcode Fuzzy Hash: 999693332ce3cb521be822ece04869f879cbd96f23583627649b22d85a420d73
Instruction Fuzzy Hash: E7A2A5B52083918BE334CF25E8807AFBBE1FF85344F55892DE5D99B250DB748846CB86

Function 00409480 Relevance: 16.7, Strings: 13, Instructions: 425COMMON

Download Yara Rule

Strings

/(, xrefs: 00409606
qMkU, xrefs: 004095BF
%;'9, xrefs: 004097C4
l$2V, xrefs: 0040956F
4, xrefs: 004097DC
z, xrefs: 0040960D
QeOt, xrefs: 0040957F
@LvJ, xrefs: 00409597
zxJr, xrefs: 004095AF
/Dv, xrefs: 0040959F
fi_a, xrefs: 00409567
cmid, xrefs: 00409577
<, xrefs: 0040979E

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: %;'9$/Dv$/($4$<$@LvJ$QeOt$cmid$fi_a$l$2V$qMkU$z$zxJr
API String ID: 0-1056785701
Opcode ID: 454e64a2c140c78ac1c09d91c32a4975d07486e3d41fb0bc63710894affa323b
Instruction ID: 842e46ac5b75871493291bc3071aec04cb085700fb22aab4cf73edda68073cb1
Opcode Fuzzy Hash: 454e64a2c140c78ac1c09d91c32a4975d07486e3d41fb0bc63710894affa323b
Instruction Fuzzy Hash: AEC1E6B264C3918BD322CF2584A076BFFE1AF97740F08496DE4D15B382D779890AC796

Function 00428240 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 302COMMON

Download Yara Rule

Strings

w1u, xrefs: 00428974
T3T5, xrefs: 00428C1D
cS'Q, xrefs: 0042892C
c/g-, xrefs: 00428924
$W U, xrefs: 00428934
X+\), xrefs: 00428A64, 00428A69
+[&Y, xrefs: 0042893C
47, xrefs: 00428C25

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: w1u$$W U$+[&Y$47$T3T5$X+\)$c/g-$cS'Q
API String ID: 0-2291755801
Opcode ID: 2fa13dc2c1c44e510c9746f46ed5d05ec53562d9eaabe92f7db13bdabe04031f
Instruction ID: 0e000d0ef194e534a872b9aca1764fcc5bbb7122393326ec7202e282a22e0c83
Opcode Fuzzy Hash: 2fa13dc2c1c44e510c9746f46ed5d05ec53562d9eaabe92f7db13bdabe04031f
Instruction Fuzzy Hash: 56A1EEB5A193508BD7209F25E88136FBBE1EFC2308F54592DE4C59B350DB388946CB9B

Function 0042830C Relevance: 13.1, Strings: 10, Instructions: 567COMMON

Download Yara Rule

Strings

FR[`, xrefs: 0042832C
Acel, xrefs: 0042831C
z^yr, xrefs: 0042833C
`Mjp, xrefs: 00428314
St_v, xrefs: 00428344
rvpf, xrefs: 0042834C
Ef~W, xrefs: 00428324
0, xrefs: 004283CC
exCj, xrefs: 00428380
lm, xrefs: 00428B06

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: 0$Acel$Ef~W$FR[`$St_v$`Mjp$exCj$lm$rvpf$z^yr
API String ID: 0-1784461846
Opcode ID: 38d058a4246af9e27b0a4d3ba4a34cf858c250db70937e4330b18fa5a1d6a780
Instruction ID: de593a7aba0a4b4ed2533947fe1a7d67c62c5fb99aef8cd95165a538a09bc7be
Opcode Fuzzy Hash: 38d058a4246af9e27b0a4d3ba4a34cf858c250db70937e4330b18fa5a1d6a780
Instruction Fuzzy Hash: D90237B560C3518BC7048F25E89136FBBE1AFD5308F18486EE4C58B352DB39D94ACB5A

Function 00434730 Relevance: 9.1, APIs: 6, Instructions: 148clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00434752
GetWindowLongW.USER32 ref: 0043477D
GetClipboardData.USER32 ref: 0043478D
GlobalLock.KERNEL32 ref: 004347AA
GlobalUnlock.KERNEL32 ref: 004348F2
CloseClipboard.USER32 ref: 004348FA

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: f2203ab28d0576d61462a5c17bcb7f7600ac017b2ea799a40c192e1975df93af
Instruction ID: 97ea91c22d5ae7e5b9c8b13deb6233e80460e5913be69dfa7c2dbb8e78e0b21f
Opcode Fuzzy Hash: f2203ab28d0576d61462a5c17bcb7f7600ac017b2ea799a40c192e1975df93af
Instruction Fuzzy Hash: 8C51E5B1D087928FD700AB7CD94A39EBFA0AB45310F04863ED8E597781D338A954C797

Function 0041C1F8 Relevance: 8.6, Strings: 6, Instructions: 1141COMMON

Download Yara Rule

Strings

#&'$, xrefs: 0041C98A
f`vy, xrefs: 0041C4C2
[8', xrefs: 0041CF7A
KV, xrefs: 0041C23A
|8', xrefs: 0041CF9F
PE, xrefs: 0041C248

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: #&'$$KV$PE$[8'$f`vy$|8'
API String ID: 0-901786309
Opcode ID: 22921e54152e35852d7864b9951b0e6be910aeda6b8dbcc850104d63ef1ea1b2
Instruction ID: f2474e64b7f290b38b33caec3c14869fa59ee5d828d9dfffcc58d7c71fdde309
Opcode Fuzzy Hash: 22921e54152e35852d7864b9951b0e6be910aeda6b8dbcc850104d63ef1ea1b2
Instruction Fuzzy Hash: 8B82FFB5500700CFC724CF29C891662BBF2FF9A314F19866DD8968B792E739E841CB95

Function 0040B320 Relevance: 8.0, Strings: 6, Instructions: 453COMMON

Download Yara Rule

Strings

pv, xrefs: 0040B425
?=, xrefs: 0040B58D
TsZq, xrefs: 0040B4E9
~q, xrefs: 0040B41E
31, xrefs: 0040B583
78, xrefs: 0040B785

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: 78$TsZq$pv$~q$31$?=
API String ID: 0-3635031037
Opcode ID: f620a66ecb55df7fc58d9ece39b3aaaba313be965ebcec3e7072a6d921bf2ff2
Instruction ID: ce34578074efcf592b9224fecfcf9cb5b237ff9dfdb1144bf3910723a8e3ccf7
Opcode Fuzzy Hash: f620a66ecb55df7fc58d9ece39b3aaaba313be965ebcec3e7072a6d921bf2ff2
Instruction Fuzzy Hash: 010278B5200B02CFD728CF25D881B56BBB5FB46314F148AACE4969BB92D774E485CF84

Function 005EC7DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005EC8CB

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3a251d30784d73333e6ce12660807acda05580702994b09d255ebe3ee0ba5791
Instruction ID: ea48f4747f43b1ba40750ff82ea963d96b812b9adef5881638cb681e44094696
Opcode Fuzzy Hash: 3a251d30784d73333e6ce12660807acda05580702994b09d255ebe3ee0ba5791
Instruction Fuzzy Hash: CA71D37180419D5EDF28EF2A9C8DAAEBFB9FB45300F1441D9E489A3251DB309E869F50

Function 005E5444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005E5450
IsDebuggerPresent.KERNEL32 ref: 005E551C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005E553C
UnhandledExceptionFilter.KERNEL32(?), ref: 005E5546

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b350a0cda3759ffab162eeab5f7771db64c341771a22fc26988abb3049b775ab
Instruction ID: 522423b534d33a7156ec6e1da9a3d708adca25b1776332b6a8873a07e2876fe1
Opcode Fuzzy Hash: b350a0cda3759ffab162eeab5f7771db64c341771a22fc26988abb3049b775ab
Instruction Fuzzy Hash: DC312775D053199BDF10EFA5D989BCDBBB8BF18304F1040AAE44CAB250EB749A89CF04

Function 004203B0 Relevance: 5.8, Strings: 4, Instructions: 830COMMON

Download Yara Rule

Strings

igup, xrefs: 004206B3
h|aa, xrefs: 004206CF
)(,*, xrefs: 00420A33
NU~d, xrefs: 00420707

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: )(,*$NU~d$h|aa$igup
API String ID: 0-143059678
Opcode ID: 96753fe0c4b5c23692884ebfe7433b8f9c6d53fd44d930ff94e15cf01fc6f345
Instruction ID: e399c97fad158a7d4b3ef684cb7d4296476cc49c03f36c0f1be86e288880a329
Opcode Fuzzy Hash: 96753fe0c4b5c23692884ebfe7433b8f9c6d53fd44d930ff94e15cf01fc6f345
Instruction Fuzzy Hash: DF521E70604B918FC735CF29D490B27BBE1AF56314F588A6EC4E68BB92C739E406CB54

Function 0040AD70 Relevance: 4.2, Strings: 3, Instructions: 457COMMON

Download Yara Rule

Strings

Fa, xrefs: 0040B221
&, xrefs: 0040B228
_Q, xrefs: 0040AE46

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: &$Fa$_Q
API String ID: 0-1172198529
Opcode ID: 8d28bbaa24a835a40fdb333aced1ab07a9ee7cba489cf7dfe95071a0e64340a8
Instruction ID: 5930f355581a27b162a52f55cba0b1af5c7241ca9883d0eb4953c51ebd911f4b
Opcode Fuzzy Hash: 8d28bbaa24a835a40fdb333aced1ab07a9ee7cba489cf7dfe95071a0e64340a8
Instruction Fuzzy Hash: ACE1267264C7504BD314CF29889436BFBE2EFD1314F19893DE8D55B381DB7989098B8A

Function 00403E80 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

), xrefs: 00403EFC
), xrefs: 00403F06
IEND, xrefs: 004042D0

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 4ea11ce3b91a3cbc7cbf71fd51f5e784c9b0a6a76b48f730835f1c0f1c2bf4de
Instruction ID: 825a59512649c6ee5090f5408381d00a5ffb775a041735f94c24c1e6c9cbd73f
Opcode Fuzzy Hash: 4ea11ce3b91a3cbc7cbf71fd51f5e784c9b0a6a76b48f730835f1c0f1c2bf4de
Instruction Fuzzy Hash: 2FE1AFB1A087029FD310DF29D84171ABBE4BB94308F14463EF994AB3C1D779E955CB8A

Function 004098F0 Relevance: 4.1, Strings: 3, Instructions: 376COMMON

Download Yara Rule

Strings

95CBEFD18DDCE7726CA361616D950AC3, xrefs: 004099A0
4, xrefs: 00409961
zr, xrefs: 00409BD0

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: 4$95CBEFD18DDCE7726CA361616D950AC3$zr
API String ID: 0-1367084576
Opcode ID: 8773539613985a28f913871aad1912a419b42aeed569dfaca877839ed66d23a5
Instruction ID: 5f09388decda20fa4ab73873a218c3cc4f1339e5cccc3754d58ae5ae3fb146a8
Opcode Fuzzy Hash: 8773539613985a28f913871aad1912a419b42aeed569dfaca877839ed66d23a5
Instruction Fuzzy Hash: 9BD104716083808BE714CF25D8917ABBFE1EFD2308F14892DE4E59B392D7399909CB56

Function 00428E9A Relevance: 4.0, Strings: 3, Instructions: 230COMMON

Download Yara Rule

Strings

upxm, xrefs: 00428F2C
yP@R, xrefs: 00428F04
xhm~, xrefs: 00428F1C

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: upxm$xhm~$yP@R
API String ID: 0-1390017308
Opcode ID: 88b1490a02fe49a57f58feb320aa09e02593e861b904f645aec105220b99ae74
Instruction ID: af5498b4fc6cc72f560c695589bd454323e307ad006dfb9a2d156b6831be40ec
Opcode Fuzzy Hash: 88b1490a02fe49a57f58feb320aa09e02593e861b904f645aec105220b99ae74
Instruction Fuzzy Hash: ED71C1B5A083118FC718DF29D89072AB7E1BF89304F49457ED88A97391DB78DC05CB9A

Function 0042F112 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042F3F1

Strings

vT^;, xrefs: 0042F306

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: vT^;
API String ID: 3664257935-2442543054
Opcode ID: 892e997350e48c3dad14e8eebe585f11da97636dacdf2979248efea06123300e
Instruction ID: 875542a9b18cbdcb975dd6f04bbcbe52110891a420304d52972b13c5b32b9c9f
Opcode Fuzzy Hash: 892e997350e48c3dad14e8eebe585f11da97636dacdf2979248efea06123300e
Instruction Fuzzy Hash: 0BA115757447418FD321CF29C8817A3BBE2EF56304F58497DD4D64B382D279A80ACB65

Function 00427D60 Relevance: 2.9, Strings: 2, Instructions: 443COMMON

Download Yara Rule

Strings

p, xrefs: 004281B0
>vG[, xrefs: 00427E1C

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: >vG[$p
API String ID: 2994545307-2792220601
Opcode ID: 77f81105453dd50864e4faf62509e2308e9e8fb1c1e5475ac8046641157ed9c6
Instruction ID: 06dc2a1fe042ad7918ba1b4204c0e2a3966152431c91071ed29db84b6afc3124
Opcode Fuzzy Hash: 77f81105453dd50864e4faf62509e2308e9e8fb1c1e5475ac8046641157ed9c6
Instruction Fuzzy Hash: 02C16E7170D3208BD714CE28D8917BBB7D2EF95304F99853EE9859B381EA78DC05839A

Function 0040D674 Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

Z[3r, xrefs: 0040D873
G{, xrefs: 0040D67B

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: G{$Z[3r
API String ID: 0-2113663995
Opcode ID: c9e13038f21d3b6ee1033d7122ba0b877ebeb07536f1aa438eb4e88d76e49ebe
Instruction ID: 1a5feb0809f76519750067d64de5eff0df4b781c6f08c4dade58f915db27b622
Opcode Fuzzy Hash: c9e13038f21d3b6ee1033d7122ba0b877ebeb07536f1aa438eb4e88d76e49ebe
Instruction Fuzzy Hash: 884116719183D18AE330CF65D8507EFB7D1EFC2318F18897ED8D8A7292E67909418796

Function 0040EEB8 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

5|iL, xrefs: 0040EF40
5|iL, xrefs: 0040EFF0

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 5|iL$5|iL
API String ID: 2994545307-2062425083
Opcode ID: 677af188185cee45a08ca9309d9910533c4f2ef95330105613439affcdf07f9f
Instruction ID: 3506aa51528a493ff225667ae5ed524b58d6f492e6e9120b7ca6d82707b63838
Opcode Fuzzy Hash: 677af188185cee45a08ca9309d9910533c4f2ef95330105613439affcdf07f9f
Instruction Fuzzy Hash: 8E316E37A052209BD3388B19CC81B6F7252ABC6714F2ED63DDC8937399C6785C1587C9

Function 00419E93 Relevance: 2.3, Strings: 1, Instructions: 1011COMMON

Download Yara Rule

Strings

KJE, xrefs: 0041A44E

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: KJE
API String ID: 0-1538290119
Opcode ID: 964eb763c395bb61725b993b91cc913ec7018d1f9062cb967cdd123453a630f1
Instruction ID: a7a5120e6780268d000a41d4099c5f4f536610df1e5312aae1d7e958802ba678
Opcode Fuzzy Hash: 964eb763c395bb61725b993b91cc913ec7018d1f9062cb967cdd123453a630f1
Instruction Fuzzy Hash: 0A720071201701CFD728CF29C8917A3B7F2FF9A314B18856DD4868B7A1E739A892CB55

Function 00423BE0 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00443598,00000000,00000001,00443588), ref: 00423C09

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 7fbc7cf3d751a120928930b0b689cd99fe2e3c8587a2ef96e0c7bb893b3d262e
Instruction ID: 60c59c07a56f120d1b088f973bfe9659beae6fa0e4e430aea44acf461ba3bc47
Opcode Fuzzy Hash: 7fbc7cf3d751a120928930b0b689cd99fe2e3c8587a2ef96e0c7bb893b3d262e
Instruction Fuzzy Hash: 2351EFB1700320ABDB209F25DC86B6733B4EF81769F444519F9858B390E37DEA05C76A

Function 0042BF00 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 0042C1E8

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 7ba8085390e9d9d1674724f665db03ec52fefc01fc448a2f4b7fc4b4a0dceecc
Instruction ID: 0bf4e8bad12aa6d766d245719c22132dc09340585cf76315267bd615b0f76128
Opcode Fuzzy Hash: 7ba8085390e9d9d1674724f665db03ec52fefc01fc448a2f4b7fc4b4a0dceecc
Instruction Fuzzy Hash: 11D1F572B083259FC714CE65A89076FB7E5AB84314F48896FE89987382DB38DD04C7D6

Function 0041E3A6 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

OM}, xrefs: 0041E52E

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: OM}
API String ID: 0-1006303042
Opcode ID: 2b5ae30a076d6df3b2ea99c6811f77c0edc01f82643934aa06ecb690bdbe9297
Instruction ID: cbf78b77270521ec31c9fb57e800a463c8e06c90812f12a46eceaef76dd37196
Opcode Fuzzy Hash: 2b5ae30a076d6df3b2ea99c6811f77c0edc01f82643934aa06ecb690bdbe9297
Instruction Fuzzy Hash: CD5147789083519AC714CF26C4917B7B7F1EF92354F08591DEDC24B391E3799884CB9A

Function 00440CB0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@, xrefs: 00440D89

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 8f0bf80c0552495aa0227107b964bf923cd9330abae26570ada9f4a67ff19873
Instruction ID: 6b8ae52c6521f3d1ed02e3b489489dde1a9e1440d5873d559aa86c1d688a76d3
Opcode Fuzzy Hash: 8f0bf80c0552495aa0227107b964bf923cd9330abae26570ada9f4a67ff19873
Instruction Fuzzy Hash: FF417971A053108BE718CF24C89236BB7E1FF85318F19852DE5999B390E73DAC14C78A

Function 004410B0 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

5|iL, xrefs: 004411D0

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 5|iL
API String ID: 2994545307-1880071150
Opcode ID: 3b5c2aa44bfe4f0559dc0e7030eff22385ad0ba6542dd51eeab3ccc2b6a908ed
Instruction ID: abde64dbdc7a399865c2e3e77a58170057d43298c1254d85a5409ebda0281772
Opcode Fuzzy Hash: 3b5c2aa44bfe4f0559dc0e7030eff22385ad0ba6542dd51eeab3ccc2b6a908ed
Instruction Fuzzy Hash: 14311334245300AFF7109F55CC81B77B7E5EB4A319F28452EE685A73A1D2B9AC818B49

Function 0042E97E Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

efg`, xrefs: 0042EA22

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: efg`
API String ID: 2994545307-115929991
Opcode ID: 8f8c653e9c7432d00b43088098e98263c012b57c006b697c092851ac2fc82c8e
Instruction ID: 50b1a9d1400f02cfd64d5a74a5e027d323d61da3c048a24fcbe79ff49634978c
Opcode Fuzzy Hash: 8f8c653e9c7432d00b43088098e98263c012b57c006b697c092851ac2fc82c8e
Instruction Fuzzy Hash: 26412C703047918FE729CB3694A1B73BBD2AF53304F9D896ED0C747292D7656801C759

Function 00441220 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

@, xrefs: 0044129A

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 8035c0c9a67ca93b32ae3a0fa005d34e97f0baa2108304f2c05b048c804e215c
Instruction ID: 97c176db586c7d19d178caac3a84e5ab3517daa35fde1b80b098ed901c9d4776
Opcode Fuzzy Hash: 8035c0c9a67ca93b32ae3a0fa005d34e97f0baa2108304f2c05b048c804e215c
Instruction Fuzzy Hash: 8A31F5715083048FE310DF59D8C16ABB7F4FF96314F54492DE994973A0E3B99848CB5A

Function 0042E452 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

{FLM, xrefs: 0042E496

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID: {FLM
API String ID: 0-3184276695
Opcode ID: a70bac8570a78eb30417192bc813facde4fd11b492a8a323cda1a002be69095d
Instruction ID: a314b66382b70de4c72545c445d9f91f9b08b8a0d60944e6470e90e84f42d60c
Opcode Fuzzy Hash: a70bac8570a78eb30417192bc813facde4fd11b492a8a323cda1a002be69095d
Instruction Fuzzy Hash: F001F9313447808BD719C7368CA06EBBB53E7C3219F5EC76DC19A07A9AC73824068B86

Function 0043FBA0 Relevance: .9, Instructions: 920COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508e2121c0f7d8165598542375894f54164fa314eaecadba0bac6083f88fef54
Instruction ID: d7d763185584c11bfcd20891fe4b3aff94b0cf42586f13fcab9308ff2bbdef73
Opcode Fuzzy Hash: 508e2121c0f7d8165598542375894f54164fa314eaecadba0bac6083f88fef54
Instruction Fuzzy Hash: BA52143AA48211CFD704CF28D88026AB7F2FB8A314F1A897DD99597351D738E855CB86

Function 0043FFE0 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92cf00b53b8af0f8cad231d7b70b51fc654ab1b3a45eb25b42825f70827e1137
Instruction ID: b19ab44e36407440470d2cb0909f12781a4405458bb039ca71a9dada2131c5af
Opcode Fuzzy Hash: 92cf00b53b8af0f8cad231d7b70b51fc654ab1b3a45eb25b42825f70827e1137
Instruction Fuzzy Hash: E6120539A48211CFE704CF28D88026AB7F1FF8A314F0A897DD68597351D738E966CB46

Function 004400A0 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ea46eb8a6524690d843dc20c5fb61beaa21c6e4c76ab0b786f7c624456ce5a
Instruction ID: 1c9cc30a16714bb6d48a7539d6704a91b294ccc741bb0596946bbd7f6803d79f
Opcode Fuzzy Hash: d6ea46eb8a6524690d843dc20c5fb61beaa21c6e4c76ab0b786f7c624456ce5a
Instruction Fuzzy Hash: C1121435A48211CFE704CF24D8802AAB7F1FF8A314F0A897DDA8697351D739E956CB46

Function 0042A210 Relevance: .5, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9db8de0c0943a215c2a45d550bd6384decc1ffd6558e240cfb9de4822f54a96
Instruction ID: 9316307a8297b3ffb8154b6e588bb5698ec7a89278114cb28ea95b40f7f559d5
Opcode Fuzzy Hash: e9db8de0c0943a215c2a45d550bd6384decc1ffd6558e240cfb9de4822f54a96
Instruction Fuzzy Hash: 48F16A71A04215CFCB14CF64D8916AFB7B2FF96304F58406DE8956B392E738AC16CB49

Function 00419040 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86aaef4c794619c0bcdf2b2c1e97aea5dd9ba63a1baa26358d106c3a606d9ecc
Instruction ID: c3c51fe5c703fd793dd28ea1902bdbeaa6dcd5dd7fb71bedd39309c9dbac5c5a
Opcode Fuzzy Hash: 86aaef4c794619c0bcdf2b2c1e97aea5dd9ba63a1baa26358d106c3a606d9ecc
Instruction Fuzzy Hash: DCB166B6908204DBD7249F14DC627BB73A0FF86318F09853DE9864B391E739AD44C79A

Function 00405A80 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c56ffa4b278840cdb210e64d8c4544f77bcb5db9ced20a20139485975e0c9ad
Instruction ID: 39af44af45aa9159e77cf681044e9918bb15d87033d67094cd06bff32db97e91
Opcode Fuzzy Hash: 6c56ffa4b278840cdb210e64d8c4544f77bcb5db9ced20a20139485975e0c9ad
Instruction Fuzzy Hash: 87F1CF71208B418FC724DF29C980A2BFBE2FF99304F04892EE4D557791E679E944CB96

Function 00429D4A Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48363801c42e7f633e1fd52c808882014b3a146e1427cae5019aa8a13b02bf9
Instruction ID: 9e188456093ea531a07c904740983b5670ae3f809d91eac7994e4fce8e8c741d
Opcode Fuzzy Hash: b48363801c42e7f633e1fd52c808882014b3a146e1427cae5019aa8a13b02bf9
Instruction Fuzzy Hash: 31C12476A00225CFDB14CF68D88179EB7B2FF85310F09826DD845AB781DB78A812CBD4

Function 00440430 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bd99ff3b20ddffc8e27113cf7a5ab44260eb0b10adcdb5c33aba97b5b59606
Instruction ID: 60904a9924ccadaae792e35d667e3de84b4daaa0f84c5f102ab81dbef8688638
Opcode Fuzzy Hash: 49bd99ff3b20ddffc8e27113cf7a5ab44260eb0b10adcdb5c33aba97b5b59606
Instruction Fuzzy Hash: 3EC12739A08215CFDB04CF64D8802AEB7B1FB8A314F1A847DCA8697351C739E956CB95

Function 00441920 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02d962c7e31647a17bd56b447670b57c19dbc0da820584a41b19d2fe4e4b5315
Instruction ID: b97290930fe42209ebc0485e1ea3ddd793542c1890314c6d02aedefa4e79d3a7
Opcode Fuzzy Hash: 02d962c7e31647a17bd56b447670b57c19dbc0da820584a41b19d2fe4e4b5315
Instruction Fuzzy Hash: 9991F5356083519BD724DF14C890A6BB7F1FF89350F19882DE99197361D739EC81CB86

Function 00441620 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ec081d72aea06f78b2142ddb3c7def7af2816c8ae05f124d865254c0aa4bfaf
Instruction ID: 64c47b1ab94feeefd4c4a20103c057ad0f18f3b66e4b952c8880aed29def7398
Opcode Fuzzy Hash: 0ec081d72aea06f78b2142ddb3c7def7af2816c8ae05f124d865254c0aa4bfaf
Instruction Fuzzy Hash: 12919A346043019FE714DF19C490A6BB7F2EF99314F19892EE9858B361DB39EC91CB86

Function 0042F4CC Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce3bd4495dcedc597afd575fe872603cde8b168ee787bc2e024ae0b7f51150d
Instruction ID: 574631d812adf6d1ccbd228a00d3fb17c29a5b5de23592ac790880a07ce4f0d7
Opcode Fuzzy Hash: 5ce3bd4495dcedc597afd575fe872603cde8b168ee787bc2e024ae0b7f51150d
Instruction Fuzzy Hash: B0512960208B919ED3258F3590503B3BFF0DF57304F5848AED2E69B352D77DA44A8769

Function 00429FD0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca2093ceb1ff82705b9d9f188e48c2cd001b933bc8c9904200fd0cfae43ccf4
Instruction ID: dbc3d241f8b3db45468fb5ff1801d682b9420633b21be94ce3fa1f6397c63540
Opcode Fuzzy Hash: eca2093ceb1ff82705b9d9f188e48c2cd001b933bc8c9904200fd0cfae43ccf4
Instruction Fuzzy Hash: E951AA76A00315CFDB10CF68DC917AAB3B1FF45304F19416DD945AB350EB38A925C788

Function 00425B05 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5043121ea707d9c4434847240d413b801cf196c94de0b8475f6fdaa61d8bca58
Instruction ID: 9d7c2b836c5306d37a6b93e754e54519da0fbde8c43f5bcab1b8b703c9c36ff9
Opcode Fuzzy Hash: 5043121ea707d9c4434847240d413b801cf196c94de0b8475f6fdaa61d8bca58
Instruction Fuzzy Hash: 595137317093A58BEB308E28E4413EBB7E1DF55310F96492FD4D987381D23CA905D74A

Function 00408D40 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6657a002c6e5b4650e6839116e29613a6d6cc702b65bf7f5d7927f26d40006
Instruction ID: 5e98b70173ad86b6ace481bda1b7e45e80e568dea6e36557a4f9787392861e45
Opcode Fuzzy Hash: 9c6657a002c6e5b4650e6839116e29613a6d6cc702b65bf7f5d7927f26d40006
Instruction Fuzzy Hash: BE219537A51A148BD310CDA5CC847927296ABD9328F3E877989789B3D2C97BAC0346C0

Function 00419DCA Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8178d1d0f0b6815f5d0f10f173b886a6f30786ab4c3eb51090a6dc703dc372
Instruction ID: fed0c287326ca92b9bc953c0812430d38a507619049f60e0670667edd6c1a914
Opcode Fuzzy Hash: cf8178d1d0f0b6815f5d0f10f173b886a6f30786ab4c3eb51090a6dc703dc372
Instruction Fuzzy Hash: 1A216B74104B418FD325CF29C0A0A52FBF2FF8A308B148A6DC4D68BB51D735E84ACB55

Function 00440E60 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71493dfae0976ea30e96c66a8ea46969ba6bb111a32a73c0a820e37529ea9e15
Instruction ID: bb6a34fadf1d6beadb2a44e60f0c816be90e7ae9456ab20467f1fabd58f3d6ee
Opcode Fuzzy Hash: 71493dfae0976ea30e96c66a8ea46969ba6bb111a32a73c0a820e37529ea9e15
Instruction Fuzzy Hash: E9118C346042005FE7208F15C8C0AABBBA1EBC6318F68442DEAD057392E6758C66C795

Function 00436630 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 7c1f6d6feb669a1bcae78b178d30467eb78e265fbfc800183f3e250ee45102b6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 5F112533A041D24EC3128D3C8400565BFA30AA7274F1AD39AF4B89B3D2D6268D8A8369

Function 0042B8F0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d929a40ef07c6e14fae4fe2d175e69af433c78edeb71fcf2e184bb9819846d
Instruction ID: 8bf6f271ed73f60eecdf394c5aad843aa4da6d94f668066ef172841f83189961
Opcode Fuzzy Hash: 75d929a40ef07c6e14fae4fe2d175e69af433c78edeb71fcf2e184bb9819846d
Instruction Fuzzy Hash: B50192F170071157D620AE15A5D0737A3A89F91708F48443EDA98AB341EB7AEC4582D9

Function 0041C15D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac2c67ad08e358a0df8421f570cfcf2776ef4fd8c04b8957e61e5da516350ad
Instruction ID: 9e3602c67c84267bfbf54267d61fa0a9cb588792b5b3092dc17a3f3b6c42c92a
Opcode Fuzzy Hash: 0ac2c67ad08e358a0df8421f570cfcf2776ef4fd8c04b8957e61e5da516350ad
Instruction Fuzzy Hash: C71125752C2700DFD7258F15CCC457273A2EF96310B29D47ED04A8B362DAB898418B08

Function 00402760 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54dd474cf1f47f5cdf98fcb82f635e07d9222514e138a179c1f62e8a185ed476
Instruction ID: 2f11de84ab7a71122bc6be4116804059335cfe89b2f77966ef6f04f7189db86d
Opcode Fuzzy Hash: 54dd474cf1f47f5cdf98fcb82f635e07d9222514e138a179c1f62e8a185ed476
Instruction Fuzzy Hash: 3BF0593B7192160BE311DD79DD80A2BB396EBD5204B0E4139F940E3781D1B4E80182A9

Function 0042EAD3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d4314cff306e1a82fba4cdb71ab16e38f411eff9ef911e29b6deda17251ff0
Instruction ID: ca3237c995a23a1e332bd25f792f94f26254bb22c46ccef7c9d6ea126c0d45b0
Opcode Fuzzy Hash: 35d4314cff306e1a82fba4cdb71ab16e38f411eff9ef911e29b6deda17251ff0
Instruction Fuzzy Hash: EBC01228A8A2894FC30AAF2488524246B70DA0310470828AAC186F7262C82488068B1D

Function 005E4CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005E4CB6
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 005E4CC4
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005E4CD5
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005E4CE6
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005E4CF7
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005E4D08
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 005E4D19
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 005E4D2A
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 005E4D3B
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 005E4D4C
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 005E4D5D
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 005E4D6E
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 005E4D7F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 005E4D90
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 005E4DA1
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 005E4DB2
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 005E4DC3
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 005E4DD4
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 005E4DE5
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 005E4DF6
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 005E4E07
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 005E4E18
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 005E4E29
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 005E4E3A
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 005E4E4B
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 005E4E5C
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005E4E6D
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 005E4E7E
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005E4E8F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005E4EA0
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 005E4EB1
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 005E4EC2
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 005E4ED3
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 005E4EE4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 005E4EF5
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 005E4F06
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 005E4F17
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 005E4F28
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 005E4F39
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 005E4F4A
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 005E4F5B

Strings

FlsFree, xrefs: 005E4CCA
CloseThreadpoolWait, xrefs: 005E4DB8
CreateSemaphoreW, xrefs: 005E4D30
FlsGetValue, xrefs: 005E4CDB
SetThreadpoolWait, xrefs: 005E4DA7
AcquireSRWLockExclusive, xrefs: 005E4EB7
GetFileInformationByHandleEx, xrefs: 005E4E2F
GetCurrentProcessorNumber, xrefs: 005E4DEB
WakeAllConditionVariable, xrefs: 005E4E84
CompareStringEx, xrefs: 005E4F2E
LCMapStringEx, xrefs: 005E4F50
CreateEventExW, xrefs: 005E4D1F
GetTickCount64, xrefs: 005E4E1E
FlsAlloc, xrefs: 005E4CBE
CreateThreadpoolWait, xrefs: 005E4D96
SetThreadpoolTimer, xrefs: 005E4D63
FlushProcessWriteBuffers, xrefs: 005E4DC9
ReleaseSRWLockExclusive, xrefs: 005E4ED9
CreateThreadpoolTimer, xrefs: 005E4D52
WaitForThreadpoolTimerCallbacks, xrefs: 005E4D74
CreateThreadpoolWork, xrefs: 005E4EFB
WakeConditionVariable, xrefs: 005E4E73
CreateSymbolicLinkW, xrefs: 005E4E01
SetFileInformationByHandle, xrefs: 005E4E40
kernel32.dll, xrefs: 005E4CB1
FreeLibraryWhenCallbackReturns, xrefs: 005E4DDA
FlsSetValue, xrefs: 005E4CEC
SleepConditionVariableCS, xrefs: 005E4E95
TryAcquireSRWLockExclusive, xrefs: 005E4EC8
GetSystemTimePreciseAsFileTime, xrefs: 005E4E51
CreateSemaphoreExW, xrefs: 005E4D41
InitializeSRWLock, xrefs: 005E4EA6
SleepConditionVariableSRW, xrefs: 005E4EEA
SubmitThreadpoolWork, xrefs: 005E4F0C
CloseThreadpoolTimer, xrefs: 005E4D85
GetLocaleInfoEx, xrefs: 005E4F3F
GetCurrentPackageId, xrefs: 005E4E0D
InitializeCriticalSectionEx, xrefs: 005E4CFD
InitOnceExecuteOnce, xrefs: 005E4D0E
CloseThreadpoolWork, xrefs: 005E4F1D
InitializeConditionVariable, xrefs: 005E4E62

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 3cd2b584b638be04b71d3cf6418bafbc16b5c8b3849d2435e6fe8724a9a4fa71
Instruction ID: 07892918c445267f27fc8ea8e7932d6919d9462ee164696842a42b8b87edcb0e
Opcode Fuzzy Hash: 3cd2b584b638be04b71d3cf6418bafbc16b5c8b3849d2435e6fe8724a9a4fa71
Instruction Fuzzy Hash: 7D610371992758ABCB046FF4AE0D9F63FE8BB397413004426B241D3265DBFC6149EB64

Function 00430003 Relevance: 43.9, APIs: 2, Strings: 23, Instructions: 105COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00430009
VariantInit.OLEAUT32 ref: 00430018

Strings

F, xrefs: 004300A8
+, xrefs: 004300A0
-, xrefs: 0043004C
Y, xrefs: 0043007C
_, xrefs: 00430084
;, xrefs: 00430070
G, xrefs: 00430050
/, xrefs: 00430044
C, xrefs: 00430094
), xrefs: 0043003C
3, xrefs: 00430080
Q, xrefs: 0043005C
S, xrefs: 00430054
A, xrefs: 0043009C
], xrefs: 0043008C
U, xrefs: 0043006C
G, xrefs: 004300A4
+, xrefs: 00430034
W, xrefs: 00430064
", xrefs: 00430068
, xrefs: 00430088
E, xrefs: 004300AC
[, xrefs: 00430074

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: $"$)$+$+$-$/$3$;$A$C$E$F$G$G$Q$S$U$W$Y$[$]$_
API String ID: 2610073882-1808557734
Opcode ID: 4ae87121ca058b1fddb145d820b293e0072d2ecef1e013bd4af0c5aa911ac905
Instruction ID: 429d5049784534c88a2d89a8b68df12836aab516dafafa9b016fbf5dbc04ffee
Opcode Fuzzy Hash: 4ae87121ca058b1fddb145d820b293e0072d2ecef1e013bd4af0c5aa911ac905
Instruction Fuzzy Hash: B5512B61108BC0CEDB168F38D8D8316BF916F56318F18859DC9A90F38BC7B9D519CBA6

Function 005E90D3 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 005E91F2
___TypeMatch.LIBVCRUNTIME ref: 005E9300
CatchIt.LIBVCRUNTIME ref: 005E9351
_UnwindNestedFrames.LIBCMT ref: 005E9452
CallUnexpected.LIBVCRUNTIME ref: 005E946D

Strings

csm, xrefs: 005E917D
@]^, xrefs: 005E926D, 005E9275
csm, xrefs: 005E9229
csm, xrefs: 005E9110

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: @]^$csm$csm$csm
API String ID: 4119006552-799744425
Opcode ID: 3e94d719b8ae84587a9c5e29787b9a4ccc71a26c3d80cf6489dd824cb4c82ef8
Instruction ID: 03219d0a21a2798768fb70d16c68df27216438f2269fdfe276f57faccf725ad7
Opcode Fuzzy Hash: 3e94d719b8ae84587a9c5e29787b9a4ccc71a26c3d80cf6489dd824cb4c82ef8
Instruction Fuzzy Hash: 7BB1AB75C0028AEFCF1CDFA6C8849AEBFB5FF48310B14445AE8856B242D731DA52CB91

Function 0040DF2E Relevance: 15.4, APIs: 1, Strings: 9, Instructions: 352COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DF3A

Strings

h, xrefs: 0040E07E
[Y, xrefs: 0040E292
frogs-severz.sbs, xrefs: 0040E3D7
WU, xrefs: 0040E29D
:+*), xrefs: 0040E2BE
TMRC, xrefs: 0040E068
SQ, xrefs: 0040E2A8
/=-, xrefs: 0040E2B3
)5*, xrefs: 0040DF60

Memory Dump Source

Source File: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_xLauncher.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: :+*)$TMRC$frogs-severz.sbs$h$)5*$/=-$SQ$WU$[Y
API String ID: 3861434553-1470547384
Opcode ID: f6a9089406869b2dad6371ecaef34e88e63f2cfa4cda6aa3744e237e44161587
Instruction ID: 9964acfc70bf0bec946f210e18c74711709ed7fcba6d1ea405e45b4af4bdc7c9
Opcode Fuzzy Hash: f6a9089406869b2dad6371ecaef34e88e63f2cfa4cda6aa3744e237e44161587
Instruction Fuzzy Hash: EAB114765083D18AD3388F25C4657EFBBE1ABD2304F19896DC4DA5B392DB394406CB86

Function 005E6130 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005E6167
___except_validate_context_record.LIBVCRUNTIME ref: 005E616F
_ValidateLocalCookies.LIBCMT ref: 005E61F8
__IsNonwritableInCurrentImage.LIBCMT ref: 005E6223
_ValidateLocalCookies.LIBCMT ref: 005E6278

Strings

csm, xrefs: 005E620D
^^, xrefs: 005E6215, 005E621E, 005E622F

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: ^^$csm
API String ID: 1170836740-3765710807
Opcode ID: 7f8fdb603672997dc7c0eb0359e9498ed5286d2102324b92d509668976045d58
Instruction ID: b943d13b7199b127325f8206969e1ebd94d3ce2875227de2801e21fafd91e68e
Opcode Fuzzy Hash: 7f8fdb603672997dc7c0eb0359e9498ed5286d2102324b92d509668976045d58
Instruction Fuzzy Hash: EE417934A00299EBCF18DF6ACC48AAEBFB1FF54394F048055E9559B392D735EA04CB80

Function 005F0308 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,005F02F3,?,?,?,?,?,?,?,?,?,?), ref: 005F03AE
__alloca_probe_16.LIBCMT ref: 005F0469
__alloca_probe_16.LIBCMT ref: 005F04F8
__freea.LIBCMT ref: 005F0543
__freea.LIBCMT ref: 005F0549
__freea.LIBCMT ref: 005F057F
__freea.LIBCMT ref: 005F0585
__freea.LIBCMT ref: 005F0595

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: f200e6fc72673d4e800ca0fac7a258714df90755dd78e31fb8b0f3189ff96e53
Instruction ID: c923966aafcf2f8464b467da3423063ae3e224ddb11d2bb8d0abf4763d8651cb
Opcode Fuzzy Hash: f200e6fc72673d4e800ca0fac7a258714df90755dd78e31fb8b0f3189ff96e53
Instruction Fuzzy Hash: D171D47290024E9BDF219B548C45BBF7FAABF89314F2C2415EA44A72C3E779DD048B60

Function 005E9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,005E9EE2,005E41E0,?,00000000,?,?,?,005E9BEB,00000022,FlsSetValue,005F3DDC,005F3DE4,?), ref: 005E9E94

Strings

ext-ms-, xrefs: 005E9E3E
api-ms-, xrefs: 005E9E2A

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 2756dce777b8b029ffdfa24e6bc82efec147e9ade835c4abf201e4abaf49e0f4
Instruction ID: cd89f6ae2a5de22670eba049624d3ba9fca4518b41e8b759029c13a93f82d93c
Opcode Fuzzy Hash: 2756dce777b8b029ffdfa24e6bc82efec147e9ade835c4abf201e4abaf49e0f4
Instruction Fuzzy Hash: 3A212B31A00292ABDB25CB26DC44B6A3F5CBFA1760F250120EE85E7291D734ED05D6E0

Function 005DBEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 005DBF10

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1ef331753114d0dd101acc0e477224d8aa0bce68cece8583726a4c17c9bc3949
Instruction ID: e2d00a8969be4baac6d00a70d635760ab5ba8fc068baee88c36584f52d2f2aef
Opcode Fuzzy Hash: 1ef331753114d0dd101acc0e477224d8aa0bce68cece8583726a4c17c9bc3949
Instruction Fuzzy Hash: FC7112B490420ADFDB14DFACD5586AEBFF0BB48700F20891BE846AB350D7389945DF92

Function 005E883A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005E8831,005E5F0D,005E55A4), ref: 005E8848
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005E8856
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005E886F
SetLastError.KERNEL32(00000000,005E8831,005E5F0D,005E55A4), ref: 005E88C1

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 47933ec6e361cc8c22acb128322c153365182d0ea773c5dde8ff1c6d1d7c22bb
Instruction ID: 242beae9d08b4d3b1a38baa437a8b90c01fc274a9ebb63b3c693d42a610e7cbc
Opcode Fuzzy Hash: 47933ec6e361cc8c22acb128322c153365182d0ea773c5dde8ff1c6d1d7c22bb
Instruction Fuzzy Hash: 9701D83211D6529DFA2C2BB7BC8A93A2F58FBA17B43600B29F858D41E1EF164C05F654

Function 005E6F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,005F25EB,000000FF,?,005E7015,?,?,005E70B1,00000000), ref: 005E6F89
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005E6F9B
FreeLibrary.KERNEL32(00000000,?,00000000,005F25EB,000000FF,?,005E7015,?,?,005E70B1,00000000), ref: 005E6FBD

Strings

CorExitProcess, xrefs: 005E6F93
mscoree.dll, xrefs: 005E6F82

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8a00f8849777a9a100c7e1513e81a26aec35c771b2f796aaba17abece5237637
Instruction ID: 4ad0bdc46718decad514d9b486c959a6047210f7cccd0048ae7a3e9c75a9b1dd
Opcode Fuzzy Hash: 8a00f8849777a9a100c7e1513e81a26aec35c771b2f796aaba17abece5237637
Instruction Fuzzy Hash: FB01D631904A69EFDF158F51DC09FBEBBB8FB14B51F040525F821E22A4DB789904CA94

Function 005EDF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 005EDFA2
__alloca_probe_16.LIBCMT ref: 005EE06B
__freea.LIBCMT ref: 005EE0D2

Part of subcall function 005EBC45: HeapAlloc.KERNEL32(00000000,?,00000000,?,005E41E0,?,?,005E1007,?,005DFAB5), ref: 005EBC77

__freea.LIBCMT ref: 005EE0E5
__freea.LIBCMT ref: 005EE0F2

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 5b2b24df4d48d744f628fd10fc3ddff382217fc0c0e0ea59af48b2df97073d6f
Instruction ID: 713a641a419904b5efa885913cb171859841c5f01463cc17aa54f935e82ad04f
Opcode Fuzzy Hash: 5b2b24df4d48d744f628fd10fc3ddff382217fc0c0e0ea59af48b2df97073d6f
Instruction Fuzzy Hash: B751C672610287AFEF289F62CC4AEBB7EA9FF84710B154429FD88D6151EB71CC50C660

Function 005E94F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,005E93FE,?,?,00000000,00000000,00000000,?), ref: 005E951D
CatchIt.LIBVCRUNTIME ref: 005E9603

Strings

RCC, xrefs: 005E9537
MOC, xrefs: 005E952F

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 3eb4b68e2527fc9b7814df6d0390067a02b6eaa798895ecf63282d50d8fbe03e
Instruction ID: e1532c549ce7fe47a119788994e22e2a3e9044fec7db3e4d2950279e3cb55517
Opcode Fuzzy Hash: 3eb4b68e2527fc9b7814df6d0390067a02b6eaa798895ecf63282d50d8fbe03e
Instruction Fuzzy Hash: FA419A72900289AFCF2ACF95CC81AEEBFB5FF48304F18809AF945A7221D3359950DB50

Function 005EDC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,005EDCFA,00000000,?,005FCCD0,?,?,?,005EDC31,00000004,InitializeCriticalSectionEx,005F46F8,005F4700), ref: 005EDC6B
GetLastError.KERNEL32(?,005EDCFA,00000000,?,005FCCD0,?,?,?,005EDC31,00000004,InitializeCriticalSectionEx,005F46F8,005F4700,00000000,?,005E971C), ref: 005EDC75
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 005EDC9D

Strings

api-ms-, xrefs: 005EDC82

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 40068f8f2e1717cf1c2b3efc6e07196aabba7158bb074f0095d110ddbe53a63f
Instruction ID: e1bf7a50b24f83c298fa68cb16657c48aa291f1756c39837303053f4ca10c0be
Opcode Fuzzy Hash: 40068f8f2e1717cf1c2b3efc6e07196aabba7158bb074f0095d110ddbe53a63f
Instruction Fuzzy Hash: 30E0D830650206BBFF102F52DC0EB283F64BB20B90F204020F94DE80E0FBAA9C11D955

Function 005EE5E8 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 005EE64B

Part of subcall function 005ED131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,005E87B1,?,00000000,?), ref: 005ED192

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005EE89D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005EE8E3
GetLastError.KERNEL32 ref: 005EE986

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3987623c3dd60063899a4df4fc0c784d63258ee4b2ac7beb4f13129da76d02ab
Instruction ID: dd5cd624e82457ba194002754347820dd6f8c780f45a4fd8f7a38c030ae7b0b0
Opcode Fuzzy Hash: 3987623c3dd60063899a4df4fc0c784d63258ee4b2ac7beb4f13129da76d02ab
Instruction Fuzzy Hash: 74D199B5D002899FCB19CFA9C8859ADBFF5FF48300F28456AE495EB352D630A906CB50

Function 005E8EFC Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 005E8FC3
___AdjustPointer.LIBCMT ref: 005E8FE6
___AdjustPointer.LIBCMT ref: 005E9082

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 35d9fa1e1bf02e441ee34c1c27f16614a816a87376805ea3f392b309e60e3a52
Instruction ID: 6bea40620f17ea6e4590ea878ebb549d7d1bc570eaba5b680528acee7e146645
Opcode Fuzzy Hash: 35d9fa1e1bf02e441ee34c1c27f16614a816a87376805ea3f392b309e60e3a52
Instruction Fuzzy Hash: CD51E072601682AFDB2DCF16C849B7A7BA5FF40310F54052DE9D99B291EB31EC40CB80

Function 005EC5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 005ED131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,005E87B1,?,00000000,?), ref: 005ED192

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,005EC95E,?,?,?,00000000), ref: 005EC61C
__dosmaperr.LIBCMT ref: 005EC623
GetLastError.KERNEL32(00000000,005EC95E,?,?,00000000,?,?,?,00000000,00000000,?,005EC95E,?,?,?,00000000), ref: 005EC65D
__dosmaperr.LIBCMT ref: 005EC664

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 725070d7f9a00161f2a5dfceee6d952f2dabeaca68fe8ca51d14b750729f9d3a
Instruction ID: 72a8c5dca5fdffffd7a31d85f3001932d2896951b4b88112e221d5593ebb46ee
Opcode Fuzzy Hash: 725070d7f9a00161f2a5dfceee6d952f2dabeaca68fe8ca51d14b750729f9d3a
Instruction Fuzzy Hash: FC21F872200296AFDB289F6B8C84D2B7FA9FF853647108819F8E5D7511D730EC02CB90

Function 005ECB54 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d18907ac0ca696754271429aa142d85051d6930200a00076c5f48bc0f359bb0
Instruction ID: 0263de70f820ecdb21b6ec67885e870802ef44124254a1aba1768b4c1ddca6e4
Opcode Fuzzy Hash: 1d18907ac0ca696754271429aa142d85051d6930200a00076c5f48bc0f359bb0
Instruction Fuzzy Hash: 4321CF71600286AFDB28AF678C86D6B7FACFF803A47104515F8AC97551E730EC429BA0

Function 005ED22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005ED235

Part of subcall function 005ED131: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,000000FF,?,?,00000000,?,?,005E87B1,?,00000000,?), ref: 005ED192

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005ED26D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005ED28D

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 8574bcc5cf9c85a9235ece796ed9a9096e81e05f6519376acc8df1c9d1f23e62
Instruction ID: 9a9b4845f683356916f0d08c39ed4567eb07f548ccd15b38a39a62eddee04bd4
Opcode Fuzzy Hash: 8574bcc5cf9c85a9235ece796ed9a9096e81e05f6519376acc8df1c9d1f23e62
Instruction Fuzzy Hash: 191126B690158A7FAB2927735C8DCBF2DBCFEE43957100414FA81D2101FB24DD029570

Function 005F07C0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,005EFF31,00000000,00000001,00000000,?,?,005EE9DA,?,00000000,00000000), ref: 005F07D7
GetLastError.KERNEL32(?,005EFF31,00000000,00000001,00000000,?,?,005EE9DA,?,00000000,00000000,?,?,?,005EE320,00000000), ref: 005F07E3

Part of subcall function 005F0840: CloseHandle.KERNEL32(FFFFFFFE,005F07F3,?,005EFF31,00000000,00000001,00000000,?,?,005EE9DA,?,00000000,00000000,?,?), ref: 005F0850

___initconout.LIBCMT ref: 005F07F3

Part of subcall function 005F0815: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,005F07B1,005EFF1E,?,?,005EE9DA,?,00000000,00000000,?), ref: 005F0828

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,005EFF31,00000000,00000001,00000000,?,?,005EE9DA,?,00000000,00000000,?), ref: 005F0808

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 27a1751eae9dbc313ed2c35ccc326f35c632847886f8bab31903abae15625cce
Instruction ID: a0f891d096b3f762674a0911d2c5a582bb06d78d14a9cdfc12995015aa5ef57f
Opcode Fuzzy Hash: 27a1751eae9dbc313ed2c35ccc326f35c632847886f8bab31903abae15625cce
Instruction Fuzzy Hash: 5DF0F83640051DBBCF222F95DC08AAA3E2AFF683A1F048421FB0885162D676C824EB90

Function 005E8D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 005E8D75

Strings

csm, xrefs: 005E8D97
csm, xrefs: 005E8E08

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: b83871b3b400e1f565c8691c54a571c90e2f0c6be1484aa31680e9cc9aaa81f2
Instruction ID: 42c6c7f46f98d676f8e91daefb3f1781b1a8d137c177ba718b9849af0d504b18
Opcode Fuzzy Hash: b83871b3b400e1f565c8691c54a571c90e2f0c6be1484aa31680e9cc9aaa81f2
Instruction Fuzzy Hash: 9531E476400295EFCF2A9F52CD449BA7F6AFF08314B18465AF8CC59221DB32DD61EB81

Function 005E41C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005E49EA
___raise_securityfailure.LIBCMT ref: 005E4AD2

Part of subcall function 005E59FC: RaiseException.KERNEL32(E06D7363,00000001,00000003,005E49DE,BB40E64E,?,?,?,005E49DE,?,005F9B2C), ref: 005E5A5C

Strings

%], xrefs: 005E4A55

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: ExceptionFeaturePresentProcessorRaise___raise_securityfailure
String ID: %]
API String ID: 3749517692-3417064086
Opcode ID: d2f5f77e59fd9d025d58292719f2c07fea41ef8758a57ad8ab2305067c9619cf
Instruction ID: aad4764500013aed4520ac4df7b23f21f8499d368b06208121f20097c292b134
Opcode Fuzzy Hash: d2f5f77e59fd9d025d58292719f2c07fea41ef8758a57ad8ab2305067c9619cf
Instruction Fuzzy Hash: 8A3170B450030D9FDB08EF26FE4A6757FA8BB68314F10413AE908CA2A1E778A54CDF44

Function 005E4241 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005E49EA
___raise_securityfailure.LIBCMT ref: 005E4AD2

Strings

%], xrefs: 005E4A55

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: %]
API String ID: 3761405300-3417064086
Opcode ID: 67da45cbafcf10abc5b1708223c28372c6081dfeb14073a374bd28b8badf0cbc
Instruction ID: 71dfbbb7cbced8f9596ba4f477fd4a1879303ff020157b74f5c86d290a3d65bb
Opcode Fuzzy Hash: 67da45cbafcf10abc5b1708223c28372c6081dfeb14073a374bd28b8badf0cbc
Instruction Fuzzy Hash: 6321EFB5500208DEE714DF16EA5A6707FA4BB68314F10507AE509CB3A1E3BCA88CEF44

Function 005E45A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005E4533: __EH_prolog3_GS.LIBCMT ref: 005E453A

std::domain_error::domain_error.LIBCPMT ref: 005E45EC

Part of subcall function 005E43A4: std::exception::exception.LIBCONCRT ref: 005E43BA

Strings

CD^, xrefs: 005E45D7
CD^, xrefs: 005E45B6, 005E45C9

Memory Dump Source

Source File: 00000003.00000002.2092210976.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000003.00000002.2092196623.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092238372.00000000005F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092256934.00000000005FB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092273468.00000000005FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2092287722.0000000000601000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d0000_xLauncher.jbxd

Similarity

API ID: H_prolog3_std::domain_error::domain_errorstd::exception::exception
String ID: CD^$CD^
API String ID: 2144476180-3205961225
Opcode ID: d6b8f16fae3418730fee897e5035f50a28eb3a45f90fc11a348ba0fa7f4398d7
Instruction ID: 1ebbb08f61b09bac950d7833f7062f07008ab1752f7898858d2011cb2e7e3ebf
Opcode Fuzzy Hash: d6b8f16fae3418730fee897e5035f50a28eb3a45f90fc11a348ba0fa7f4398d7
Instruction Fuzzy Hash: 7B014C74D002099BCF18EF6AD8458AEBFF8FF88704B10851EE45597340DB34DA05CB90

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.155.47:443

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.155.47:443

Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fumblingactor.cyou
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2092143624.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ebx, ecx	3_2_00439390
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000001E8h]	3_2_0040CC6D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-50CB154Bh]	3_2_00409E30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h	3_2_00440F30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00419040
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6FE6A972h]	3_2_004098F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	3_2_004098F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042B8F0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi-499E0CD7h]	3_2_004400A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-499E0CD7h]	3_2_004400A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_004400A0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h	3_2_004410B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx eax, byte ptr [esi+ecx+1079369Fh]	3_2_0041C15D
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov byte ptr [edx], cl	3_2_0042E97E
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov dword ptr [esi], ebx	3_2_0042F112
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 4F699CD4h	3_2_00441920
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_004259E0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_004259E0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_004259E0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov edi, ecx	3_2_0041C1F8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-3E194A8Ah]	3_2_0041C1F8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_00428240
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov edi, dword ptr [ebp-2Ch]	3_2_0042A210
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 40915FE0h	3_2_00441220
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov eax, dword ptr [00448860h]	3_2_0042EAD3
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov eax, ebp	3_2_00405A80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov eax, ebp	3_2_00405A80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ebx, bx	3_2_00425B05
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_0042830C
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then push 00000000h	3_2_0040B320
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_00425B30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_00425B30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_00425B30
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_00423BE0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi-499E0CD7h]	3_2_0043FBA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-499E0CD7h]	3_2_0043FBA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_0043FBA0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-0Ah]	3_2_0041E3A6
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_0041E3A6
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then inc eax	3_2_004203B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_004203B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+6B288C58h]	3_2_004203B0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, edx	3_2_0042E452
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_00440430
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-5A036C71h]	3_2_0042F4CC
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov byte ptr [edx], cl	3_2_0042F4CC
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov eax, ebx	3_2_00409480
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3B55F564h]	3_2_00440CB0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then lea esi, dword ptr [eax+00000270h]	3_2_00408D40
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_00429D4A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2BD892BAh]	3_2_00427D60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movsx ecx, byte ptr [eax+edx]	3_2_0040AD70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-00000081h]	3_2_0040AD70
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, ebx	3_2_00419DCA
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 9C142CDAh	3_2_00440E60
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000001BCh]	3_2_0040D674
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 484CE391h	3_2_00441620
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00436630
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi+25h]	3_2_00403E80
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edi-000000D1h]	3_2_00419E93
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, dword ptr [edx+eax]	3_2_00428E9A
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 4C697C35h	3_2_0040EEB8
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esi]	3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov edi, dword ptr [esp+2Ch]	3_2_00425740
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00402760
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042BF00
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_00429FD0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi-499E0CD7h]	3_2_0043FFE0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-499E0CD7h]	3_2_0043FFE0
Source: C:\Users\user\Desktop\xLauncher.exe	Code function: 4x nop then mov ecx, eax	3_2_0043FFE0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xLauncher.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
xLauncher.exe

Function 005FB18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 005E9DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 005DBEB0 Relevance: 9.2, APIs: 6, Instructions: 173
fileCOMMON

Function 005E6CE6 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 005E6FEF Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 005E41C6 Relevance: 3.1, APIs: 2, Instructions: 93
COMMONLIBRARYCODE

Function 005EA732 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 005E6E00 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 005EB0CB Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 005EA00A Relevance: 2.6, APIs: 2, Instructions: 71
COMMONLIBRARYCODE

Function 005E3B60 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Function 005E9E9E Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Function 005DCD90 Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Function 005EB807 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE