Edit tour

Windows Analysis Report
8lvzqcMqGF.exe

Overview

General Information

Sample name:	8lvzqcMqGF.exe renamed because original name is a hash value
Original sample name:	3c30dbf2e7d57fdb7babdf49b87d8b31.exe
Analysis ID:	1417370
MD5:	3c30dbf2e7d57fdb7babdf49b87d8b31
SHA1:	33e72f2e8e6b93a2ecffccba64650bda87e08e0d
SHA256:	8d2c29f6d94f4375450e54b8d9fcd645beb7642d4240a4137e7c8539a57040d2
Tags:	32exeLummaStealertrojan
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

8lvzqcMqGF.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\8lvzqcMqGF.exe" MD5: 3C30DBF2E7D57FDB7BABDF49B87D8B31)

conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7500 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "turkeyunlikelyofw.shop"], "Build id": "LGNDR1--ketamine"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Snort Signatures

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/29/24-05:43:48.790201
SID:	2051473
Source Port:	50877
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/29/24-05:43:48.994300
SID:	2050952
Source Port:	61786
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/29/24-05:43:48.286318
SID:	2050956
Source Port:	49936
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/29/24-05:43:48.891140
SID:	2050953
Source Port:	59000
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/29/24-05:43:48.591653
SID:	2051584
Source Port:	53036
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/29/24-05:43:48.386472
SID:	2051586
Source Port:	54425
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/29/24-05:43:48.485909
SID:	2051587
Source Port:	63226
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/29/24-05:43:48.691364
SID:	2050996
Source Port:	57276
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8lvzqcMqGF.exe

Avira: detected

Antivirus detection for URL or domain

Source: edurestunningcrackyow.fun	URL Reputation: Label: malware
Source: edurestunningcrackyow.fun	URL Reputation: Label: malware
Source: https://colorfulequalugliess.shop/	Avira URL Cloud: Label: phishing
Source: https://turkeyunlikelyofw.shop/api	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/api	Avira URL Cloud: Label: malware
Source: colorfulequalugliess.shop	Avira URL Cloud: Label: phishing
Source: https://turkeyunlikelyofw.shop/	Avira URL Cloud: Label: malware
Source: https://relevantvoicelesskw.shop/R8	Avira URL Cloud: Label: phishing
Source: https://associationokeo.shop/apiX	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop//	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/Ut	Avira URL Cloud: Label: malware
Source: relevantvoicelesskw.shop	Avira URL Cloud: Label: phishing
Source: https://associationokeo.shop/d	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "turkeyunlikelyofw.shop"], "Build id": "LGNDR1--ketamine"}

Multi AV Scanner detection for domain / URL

Source: colorfulequalugliess.shop	Virustotal: Detection: 20%	Perma Link
Source: wisemassiveharmonious.shop	Virustotal: Detection: 9%	Perma Link
Source: https://colorfulequalugliess.shop/	Virustotal: Detection: 20%	Perma Link
Source: https://associationokeo.shop/api	Virustotal: Detection: 23%	Perma Link
Source: colorfulequalugliess.shop	Virustotal: Detection: 20%	Perma Link
Source: https://turkeyunlikelyofw.shop/	Virustotal: Detection: 20%	Perma Link
Source: wisemassiveharmonious.shop	Virustotal: Detection: 9%	Perma Link
Source: relevantvoicelesskw.shop	Virustotal: Detection: 20%	Perma Link
Source: https://associationokeo.shop/apiX	Virustotal: Detection: 17%	Perma Link
Source: https://turkeyunlikelyofw.shop/api	Virustotal: Detection: 21%	Perma Link
Source: https://pooreveningfuseor.pw/api	Virustotal: Detection: 15%	Perma Link
Source: https://detectordiscusser.shop/v	Virustotal: Detection: 19%	Perma Link
Source: https://associationokeo.shop//	Virustotal: Detection: 23%	Perma Link
Source: https://detectordiscusser.shop/api	Virustotal: Detection: 19%	Perma Link
Source: https://detectordiscusser.shop/	Virustotal: Detection: 19%	Perma Link
Source: relevantvoicelesskw.shop	Virustotal: Detection: 20%	Perma Link
Source: https://associationokeo.shop/d	Virustotal: Detection: 14%	Perma Link
Source: https://pooreveningfuseor.pw/	Virustotal: Detection: 17%	Perma Link
Source: https://detectordiscusser.shop/apiapi	Virustotal: Detection: 19%	Perma Link

Multi AV Scanner detection for submitted file

Source: 8lvzqcMqGF.exe	ReversingLabs: Detection: 91%
Source: 8lvzqcMqGF.exe	Virustotal: Detection: 69%			Perma Link

Machine Learning detection for sample

Source: 8lvzqcMqGF.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: associationokeo.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: turkeyunlikelyofw.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pooreveningfuseor.pw
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: edurestunningcrackyow.fun
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: detectordiscusser.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: relevantvoicelesskw.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: colorfulequalugliess.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wisemassiveharmonious.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: turkeyunlikelyofw.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LGNDR1--ketamine

Source: 8lvzqcMqGF.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 8lvzqcMqGF.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Newman.pdb source: 8lvzqcMqGF.exe
Source:	Binary string: Newman.pdb8 source: 8lvzqcMqGF.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000A10h]	3_2_004200C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_004350C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, eax	3_2_004060B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	3_2_004060B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+40h]	3_2_004131F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041624E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	3_2_00417270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	3_2_00417270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_004222E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, word ptr [edi+ecx]	3_2_00419290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	3_2_0041544F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000000A0h]	3_2_0041B4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	3_2_004094A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], cl	3_2_004094A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00420613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041624E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00414795
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ecx-08h], 904D52BCh	3_2_004167A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	3_2_0041983E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	3_2_0041983E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0042D8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+5Ch]	3_2_0041F920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	3_2_0042F920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	3_2_00409930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h	3_2_00431A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	3_2_0040FAA6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_0041EBD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [esi+ecx]	3_2_0040CBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_00414BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	3_2_00434BB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+0Ch]	3_2_00433C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	3_2_0041FC1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+40h], 00000000h	3_2_00411FF4

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2050956 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop) 192.168.2.4:49936 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051586 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop) 192.168.2.4:54425 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051587 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop) 192.168.2.4:63226 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051584 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop) 192.168.2.4:53036 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2050996 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop) 192.168.2.4:57276 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051473 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun) 192.168.2.4:50877 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2050953 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw) 192.168.2.4:59000 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2050952 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop) 192.168.2.4:61786 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: associationokeo.shop
Source: Malware configuration extractor	URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor	URLs: pooreveningfuseor.pw
Source: Malware configuration extractor	URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor	URLs: detectordiscusser.shop
Source: Malware configuration extractor	URLs: relevantvoicelesskw.shop
Source: Malware configuration extractor	URLs: colorfulequalugliess.shop
Source: Malware configuration extractor	URLs: wisemassiveharmonious.shop
Source: Malware configuration extractor	URLs: turkeyunlikelyofw.shop

Source: unknown	DNS traffic detected: query: wisemassiveharmonious.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: turkeyunlikelyofw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: associationokeo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: relevantvoicelesskw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: detectordiscusser.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: colorfulequalugliess.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edurestunningcrackyow.fun replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: turkeyunlikelyofw.shop

Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop//
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/Ut
Source: RegAsm.exe, 00000003.00000002.1604417781.0000000000E5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/api
Source: RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/apiX
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/d
Source: RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://colorfulequalugliess.shop/
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/api
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/apiapi
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/v
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/api
Source: RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/api/
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/api/api~
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/l
Source: RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/R8
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1604349090.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/api

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004294C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_004294C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004294C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_004294C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0042AB4B GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

3_2_0042AB4B

System Summary

.NET source code contains very large array initializations

Source: 8lvzqcMqGF.exe, RemoteObjects.cs

Large array initialization: RemoteObjects: array initializer size 290816

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00433161 NtOpenSection,	3_2_00433161
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004331CB NtMapViewOfSection,	3_2_004331CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436230 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00436230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043328A NtClose,	3_2_0043328A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00433408 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00433408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004144F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004144F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004329E6 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004329E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00435E60 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00435E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436050 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00436050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419060 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00419060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432100 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00432100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004371D0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004371D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041520E NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041520E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418221 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00418221
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004222E6 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004222E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419290 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00419290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436360 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00436360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041E380 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041E380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042242C NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0042242C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436490 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00436490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004365C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004365C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004225A4 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004225A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004335B2 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004335B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414639 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00414639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004316C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004316C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A690 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041A690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004116A7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004116A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436740 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00436740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004167A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_004167A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415845 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00415845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417805 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00417805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F810 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0042F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041983E NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041983E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041192A NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041192A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414639 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00414639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436A60 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00436A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431A10 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00431A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00410A37 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00410A37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041FAE9 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041FAE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CAA0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416BB7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00416BB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041ABBC NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041ABBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CC35 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041CC35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041ACB8 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041ACB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431DB0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00431DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436E00 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00436E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431EC0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00431EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414E82 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00414E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00431FF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_00431FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DFB0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_2_0041DFB0

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Code function: 0_2_023823FF	0_2_023823FF
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Code function: 0_2_02381CF0	0_2_02381CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041407C	3_2_0041407C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004060B0	3_2_004060B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00426207	3_2_00426207
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004032D0	3_2_004032D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00405350	3_2_00405350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004225A4	3_2_004225A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F5B0	3_2_0042F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042264C	3_2_0042264C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00420613	3_2_00420613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00404770	3_2_00404770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004267DE	3_2_004267DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401790	3_2_00401790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041983E	3_2_0041983E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436A60	3_2_00436A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00423B45	3_2_00423B45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407D20	3_2_00407D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00403D90	3_2_00403D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00436E00	3_2_00436E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402EF0	3_2_00402EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FF60	3_2_0040FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411FF4	3_2_00411FF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DFB0	3_2_0041DFB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408F00 appears 155 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408780 appears 42 times

Source: 8lvzqcMqGF.exe, 00000000.00000002.1595858670.000000000060E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 8lvzqcMqGF.exe
Source: 8lvzqcMqGF.exe	Binary or memory string: OriginalFilenameNewman.exe8 vs 8lvzqcMqGF.exe

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior

Source: 8lvzqcMqGF.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 8lvzqcMqGF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/1@8/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0042759F CoCreateInstance,

3_2_0042759F

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8lvzqcMqGF.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03

Source: 8lvzqcMqGF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8lvzqcMqGF.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8lvzqcMqGF.exe	ReversingLabs: Detection: 91%
Source: 8lvzqcMqGF.exe	Virustotal: Detection: 69%

Source: unknown	Process created: C:\Users\user\Desktop\8lvzqcMqGF.exe "C:\Users\user\Desktop\8lvzqcMqGF.exe"
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: 8lvzqcMqGF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 8lvzqcMqGF.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 8lvzqcMqGF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Newman.pdb source: 8lvzqcMqGF.exe
Source:	Binary string: Newman.pdb8 source: 8lvzqcMqGF.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041983E NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,

3_2_0041983E

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Code function: 0_2_023836B7 push ebx; iretd	0_2_023836DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043C628 push ecx; ret	3_2_0043C642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004267D8 push cs; ret	3_2_004267DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043BAE1 push FFFFFFC9h; iretd	3_2_0043BAE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00427E1E push esp; iretd	3_2_00427E26

Source: 8lvzqcMqGF.exe

Static PE information: section name: .text entropy: 7.933098445579858

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Memory allocated: 2380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Memory allocated: 43B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe TID: 7488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7528	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7528	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0041983E

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe

Code function: 0_2_023B545D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_023B545D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: associationokeo.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: turkeyunlikelyofw.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pooreveningfuseor.pw
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: edurestunningcrackyow.fun
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: detectordiscusser.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: relevantvoicelesskw.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: colorfulequalugliess.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wisemassiveharmonious.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 446000	Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8DF008	Jump to behavior

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Users\user\Desktop\8lvzqcMqGF.exe

Queries volume information: C:\Users\user\Desktop\8lvzqcMqGF.exe VolumeInformation

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8lvzqcMqGF.exe	91%	ReversingLabs	Win32.Trojan.Leonem
8lvzqcMqGF.exe	69%	Virustotal		Browse
8lvzqcMqGF.exe	100%	Avira	HEUR/AGEN.1354295
8lvzqcMqGF.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
edurestunningcrackyow.fun	100%	URL Reputation	malware
edurestunningcrackyow.fun	100%	URL Reputation	malware
turkeyunlikelyofw.shop	0%	URL Reputation	safe
detectordiscusser.shop	0%	URL Reputation	safe
detectordiscusser.shop	0%	URL Reputation	safe
pooreveningfuseor.pw	0%	URL Reputation	safe
pooreveningfuseor.pw	0%	URL Reputation	safe
associationokeo.shop	0%	URL Reputation	safe
colorfulequalugliess.shop	20%	Virustotal		Browse
wisemassiveharmonious.shop	10%	Virustotal		Browse
relevantvoicelesskw.shop	20%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://colorfulequalugliess.shop/	100%	Avira URL Cloud	phishing
https://turkeyunlikelyofw.shop/api	100%	Avira URL Cloud	malware
https://associationokeo.shop/api	100%	Avira URL Cloud	malware
colorfulequalugliess.shop	100%	Avira URL Cloud	phishing
https://turkeyunlikelyofw.shop/	100%	Avira URL Cloud	malware
https://pooreveningfuseor.pw/l	0%	Avira URL Cloud	safe
wisemassiveharmonious.shop	0%	Avira URL Cloud	safe
https://colorfulequalugliess.shop/	20%	Virustotal		Browse
https://associationokeo.shop/api	24%	Virustotal		Browse
colorfulequalugliess.shop	20%	Virustotal		Browse
https://relevantvoicelesskw.shop/R8	100%	Avira URL Cloud	phishing
https://associationokeo.shop/apiX	100%	Avira URL Cloud	malware
https://turkeyunlikelyofw.shop/	20%	Virustotal		Browse
https://pooreveningfuseor.pw/api/api~	0%	Avira URL Cloud	safe
wisemassiveharmonious.shop	10%	Virustotal		Browse
https://pooreveningfuseor.pw/api	0%	Avira URL Cloud	safe
https://pooreveningfuseor.pw/l	2%	Virustotal		Browse
https://associationokeo.shop/apiX	18%	Virustotal		Browse
https://detectordiscusser.shop/	0%	Avira URL Cloud	safe
https://detectordiscusser.shop/api	0%	Avira URL Cloud	safe
https://turkeyunlikelyofw.shop/api	22%	Virustotal		Browse
https://detectordiscusser.shop/v	0%	Avira URL Cloud	safe
https://pooreveningfuseor.pw/api	15%	Virustotal		Browse
https://pooreveningfuseor.pw/api/	0%	Avira URL Cloud	safe
https://detectordiscusser.shop/apiapi	0%	Avira URL Cloud	safe
https://associationokeo.shop//	100%	Avira URL Cloud	malware
https://associationokeo.shop/Ut	100%	Avira URL Cloud	malware
https://detectordiscusser.shop/v	19%	Virustotal		Browse
https://pooreveningfuseor.pw/	0%	Avira URL Cloud	safe
relevantvoicelesskw.shop	100%	Avira URL Cloud	phishing
https://associationokeo.shop//	24%	Virustotal		Browse
https://associationokeo.shop/d	100%	Avira URL Cloud	malware
https://pooreveningfuseor.pw/api/	1%	Virustotal		Browse
https://detectordiscusser.shop/api	19%	Virustotal		Browse
https://detectordiscusser.shop/	19%	Virustotal		Browse
relevantvoicelesskw.shop	20%	Virustotal		Browse
https://associationokeo.shop/d	14%	Virustotal		Browse
https://pooreveningfuseor.pw/	17%	Virustotal		Browse
https://detectordiscusser.shop/apiapi	20%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
edurestunningcrackyow.fun	unknown	unknown	true	100%, URL Reputation 100%, URL Reputation	unknown
turkeyunlikelyofw.shop	unknown	unknown	true	0%, URL Reputation	unknown
detectordiscusser.shop	unknown	unknown	true	0%, URL Reputation 0%, URL Reputation	unknown
relevantvoicelesskw.shop	unknown	unknown	true	20%, Virustotal, Browse	unknown
pooreveningfuseor.pw	unknown	unknown	true	0%, URL Reputation 0%, URL Reputation	unknown
wisemassiveharmonious.shop	unknown	unknown	true	10%, Virustotal, Browse	unknown
associationokeo.shop	unknown	unknown	true	0%, URL Reputation	unknown
colorfulequalugliess.shop	unknown	unknown	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
edurestunningcrackyow.fun	true		unknown
pooreveningfuseor.pw	true		unknown
associationokeo.shop	true		unknown
colorfulequalugliess.shop	true	20%, Virustotal, Browse Avira URL Cloud: phishing	unknown
turkeyunlikelyofw.shop	true		unknown
detectordiscusser.shop	true		unknown
wisemassiveharmonious.shop	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
relevantvoicelesskw.shop	true	20%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://associationokeo.shop/api	RegAsm.exe, 00000003.00000002.1604417781.0000000000E5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	false	24%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://turkeyunlikelyofw.shop/api	RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://colorfulequalugliess.shop/	RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://turkeyunlikelyofw.shop/	RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1604349090.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://pooreveningfuseor.pw/l	RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://relevantvoicelesskw.shop/R8	RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://associationokeo.shop/apiX	RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://pooreveningfuseor.pw/api/api~	RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pooreveningfuseor.pw/api	RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://detectordiscusser.shop/	RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://detectordiscusser.shop/api	RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://detectordiscusser.shop/v	RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pooreveningfuseor.pw/api/	RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://detectordiscusser.shop/apiapi	RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://associationokeo.shop//	RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	false	24%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://associationokeo.shop/Ut	RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pooreveningfuseor.pw/	RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	false	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://associationokeo.shop/d	RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417370
Start date and time:	2024-03-29 05:43:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8lvzqcMqGF.exe renamed because original name is a hash value
Original Sample Name:	3c30dbf2e7d57fdb7babdf49b87d8b31.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/1@8/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 21 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
05:43:47	API Interceptor	7x Sleep call for process: RegAsm.exe modified

Process:	C:\Users\user\Desktop\8lvzqcMqGF.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.918248192773169
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	8lvzqcMqGF.exe
File size:	330'240 bytes
MD5:	3c30dbf2e7d57fdb7babdf49b87d8b31
SHA1:	33e72f2e8e6b93a2ecffccba64650bda87e08e0d
SHA256:	8d2c29f6d94f4375450e54b8d9fcd645beb7642d4240a4137e7c8539a57040d2
SHA512:	c48c83d1d9d459720bea88aa7fb56c13d886fff9ab65deb0ace750d7d35a7b61c66b5d697e506ec152534d788f1641c51bcba38610ae66a6a8e08b0dabdc7657
SSDEEP:	6144:eg/wt3X3dBPknwkM126Bwmks8kyZvpyF1Pta/hPeLIVbF:eMMXvPaVWAmV7yBpdZnxF
TLSH:	77641247B12F4158C8178A3DC523E29C12F5B371A317C546B6C863BDA99B3FAE242CE5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....).e............................^.... ... ....@.. .......................`............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x451e5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FB29B3 [Wed Mar 20 18:23:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x51e10	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x51dcc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4fe64	0x50000	85bc0132a7b595272eb1e37dbba36803	False	0.9462432861328125	data	7.933098445579858	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x53c	0x600	2c980b38a71e234cd0ca01290edea74f	False	0.400390625	data	3.934515637230161	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54000	0xc	0x200	5ba7d737ee3de40b45858892fc2de8f6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x520a0	0x2b0	data			0.4578488372093023
RT_MANIFEST	0x52350	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/29/24-05:43:48.790201	UDP	2051473	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun)	50877	53	192.168.2.4	1.1.1.1
03/29/24-05:43:48.994300	UDP	2050952	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop)	61786	53	192.168.2.4	1.1.1.1
03/29/24-05:43:48.286318	UDP	2050956	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop)	49936	53	192.168.2.4	1.1.1.1
03/29/24-05:43:48.891140	UDP	2050953	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw)	59000	53	192.168.2.4	1.1.1.1
03/29/24-05:43:48.591653	UDP	2051584	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop)	53036	53	192.168.2.4	1.1.1.1
03/29/24-05:43:48.386472	UDP	2051586	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop)	54425	53	192.168.2.4	1.1.1.1
03/29/24-05:43:48.485909	UDP	2051587	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop)	63226	53	192.168.2.4	1.1.1.1
03/29/24-05:43:48.691364	UDP	2050996	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop)	57276	53	192.168.2.4	1.1.1.1

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 05:43:48.286318064 CET	49936	53	192.168.2.4	1.1.1.1
Mar 29, 2024 05:43:48.383884907 CET	53	49936	1.1.1.1	192.168.2.4
Mar 29, 2024 05:43:48.386471987 CET	54425	53	192.168.2.4	1.1.1.1
Mar 29, 2024 05:43:48.483282089 CET	53	54425	1.1.1.1	192.168.2.4
Mar 29, 2024 05:43:48.485908985 CET	63226	53	192.168.2.4	1.1.1.1
Mar 29, 2024 05:43:48.590055943 CET	53	63226	1.1.1.1	192.168.2.4
Mar 29, 2024 05:43:48.591653109 CET	53036	53	192.168.2.4	1.1.1.1
Mar 29, 2024 05:43:48.688971996 CET	53	53036	1.1.1.1	192.168.2.4
Mar 29, 2024 05:43:48.691364050 CET	57276	53	192.168.2.4	1.1.1.1
Mar 29, 2024 05:43:48.788036108 CET	53	57276	1.1.1.1	192.168.2.4
Mar 29, 2024 05:43:48.790200949 CET	50877	53	192.168.2.4	1.1.1.1
Mar 29, 2024 05:43:48.888950109 CET	53	50877	1.1.1.1	192.168.2.4
Mar 29, 2024 05:43:48.891139984 CET	59000	53	192.168.2.4	1.1.1.1
Mar 29, 2024 05:43:48.990830898 CET	53	59000	1.1.1.1	192.168.2.4
Mar 29, 2024 05:43:48.994299889 CET	61786	53	192.168.2.4	1.1.1.1
Mar 29, 2024 05:43:49.096733093 CET	53	61786	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2024 05:43:48.286318064 CET	192.168.2.4	1.1.1.1	0x7c77	Standard query (0)	turkeyunlikelyofw.shop	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.386471987 CET	192.168.2.4	1.1.1.1	0x1d29	Standard query (0)	wisemassiveharmonious.shop	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.485908985 CET	192.168.2.4	1.1.1.1	0x99e2	Standard query (0)	colorfulequalugliess.shop	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.591653109 CET	192.168.2.4	1.1.1.1	0x9e6	Standard query (0)	relevantvoicelesskw.shop	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.691364050 CET	192.168.2.4	1.1.1.1	0x429	Standard query (0)	detectordiscusser.shop	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.790200949 CET	192.168.2.4	1.1.1.1	0xb428	Standard query (0)	edurestunningcrackyow.fun	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.891139984 CET	192.168.2.4	1.1.1.1	0xdec1	Standard query (0)	pooreveningfuseor.pw	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.994299889 CET	192.168.2.4	1.1.1.1	0x40d1	Standard query (0)	associationokeo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 29, 2024 05:43:48.383884907 CET	1.1.1.1	192.168.2.4	0x7c77	Name error (3)	turkeyunlikelyofw.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.483282089 CET	1.1.1.1	192.168.2.4	0x1d29	Name error (3)	wisemassiveharmonious.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.590055943 CET	1.1.1.1	192.168.2.4	0x99e2	Name error (3)	colorfulequalugliess.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.688971996 CET	1.1.1.1	192.168.2.4	0x9e6	Name error (3)	relevantvoicelesskw.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.788036108 CET	1.1.1.1	192.168.2.4	0x429	Name error (3)	detectordiscusser.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:48.888950109 CET	1.1.1.1	192.168.2.4	0xb428	Name error (3)	edurestunningcrackyow.fun	none	none	A (IP address)	IN (0x0001)	false
Mar 29, 2024 05:43:49.096733093 CET	1.1.1.1	192.168.2.4	0x40d1	Name error (3)	associationokeo.shop	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:43:46
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\8lvzqcMqGF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8lvzqcMqGF.exe"
Imagebase:	0xe0000
File size:	330'240 bytes
MD5 hash:	3C30DBF2E7D57FDB7BABDF49B87D8B31
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:43:46
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:43:47
Start date:	29/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x60000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:43:47
Start date:	29/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x6d0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	32.4%
Total number of Nodes:	34
Total number of Limit Nodes:	4

Executed Functions

Function 023B545D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 023B55CC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 023B55DF
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 023B55FD
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 023B5621
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 023B564C
TerminateProcess.KERNELBASE(?,00000000), ref: 023B566B
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 023B56A4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 023B56EF
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 023B572D
Wow64SetThreadContext.KERNEL32(?,?), ref: 023B5769
ResumeThread.KERNELBASE(?), ref: 023B5778

Strings

aryA, xrefs: 023B54A3
Load, xrefs: 023B549B
GetP, xrefs: 023B54DF
ress, xrefs: 023B54E7

Memory Dump Source

Source File: 00000000.00000002.1596239972.00000000023B5000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23b5000_8lvzqcMqGF.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: GetP$Load$aryA$ress
API String ID: 2440066154-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 92f83b24d06481db55e1507501c1664f6185f86c8bc3f3309b3846ed7c2f50ba
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 41B1E47264028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB741D774FA418B94

Uniqueness

Uniqueness Score: -1.00%

Function 023823FF Relevance: .2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1596191014.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2380000_8lvzqcMqGF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d773e4a6f8c0e0dee0f5e9dcfeceb1f07dbd2cfe4b7d4b9154b9e79d8b893981
Instruction ID: 92467e5e9cffedf393b83441016673036ddae320bfd584cc3950f627d4798781
Opcode Fuzzy Hash: d773e4a6f8c0e0dee0f5e9dcfeceb1f07dbd2cfe4b7d4b9154b9e79d8b893981
Instruction Fuzzy Hash: 94A191306043C2CFDB05EB19C8D4FA6B7A2AB81314F9685A5D8594F9A7DBB0FD84CB44

Uniqueness

Uniqueness Score: -1.00%

Function 02381CF0 Relevance: .2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1596191014.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2380000_8lvzqcMqGF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57af220f5d29f63724d7063f6c67f926f57cf35ce1d87fab6b1a7d4f196ca44b
Instruction ID: 24158f44de1d620cafd68304c06db50f37b22ce017881bdc24c764c2ffad3ec5
Opcode Fuzzy Hash: 57af220f5d29f63724d7063f6c67f926f57cf35ce1d87fab6b1a7d4f196ca44b
Instruction Fuzzy Hash: AA718378600318DFD709EB68E484BB9F7BBEB84310F14C266D5598F699E730AC4ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 02384773 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 02384814

Memory Dump Source

Source File: 00000000.00000002.1596191014.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2380000_8lvzqcMqGF.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 984474fb2df3abc204f928c85b33d6d2793f486f0e1cf71cf58e3e382eb7fd84
Instruction ID: b0ededeee29d08a0b08c1fd494b49d81a1c67780edc45342c8fdfc6200293b05
Opcode Fuzzy Hash: 984474fb2df3abc204f928c85b33d6d2793f486f0e1cf71cf58e3e382eb7fd84
Instruction Fuzzy Hash: 1C3123B59003499FCB10DFA9D980ADEBBF1FF48314F20842AE919A7650C775A955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02384778 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 02384814

Memory Dump Source

Source File: 00000000.00000002.1596191014.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2380000_8lvzqcMqGF.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 149041f0412e1d4ff7903bfb07af865f56210f73da650ebbcc1acdb3b4f8631e
Instruction ID: d517ad9f55e29524d828933ce2d25a55b6fef8495e4654c20a9663254e0bbc7a
Opcode Fuzzy Hash: 149041f0412e1d4ff7903bfb07af865f56210f73da650ebbcc1acdb3b4f8631e
Instruction Fuzzy Hash: 0D2113B5D003499FCB10DFAAD984ADEBBF5FF48314F20842AE919A7210C775A954CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 023845F0 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 02384674

Memory Dump Source

Source File: 00000000.00000002.1596191014.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2380000_8lvzqcMqGF.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0d944033c11b51c0a1eac2503b36c5b260163753f7a0fe46b020a572b08b9391
Instruction ID: d29fa647d0b00b8be334ada349a7b3e7bf1ab9990c93c9573649cce9e473d9aa
Opcode Fuzzy Hash: 0d944033c11b51c0a1eac2503b36c5b260163753f7a0fe46b020a572b08b9391
Instruction Fuzzy Hash: 1721F3B1900259DFDB00DF9AD984ADEFBB4FB08320F10812AE918A7250D334A550CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 023845F8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 02384674

Memory Dump Source

Source File: 00000000.00000002.1596191014.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2380000_8lvzqcMqGF.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 17e3b2f11ac7e984c2cc5226f3eef39796de93e6f793df8adebfa7874a7b888c
Instruction ID: 1e068f54bec009d0fcf629c1f090463ee5546b9ac4e22d15e8e435a73272a2f0
Opcode Fuzzy Hash: 17e3b2f11ac7e984c2cc5226f3eef39796de93e6f793df8adebfa7874a7b888c
Instruction Fuzzy Hash: 0221E3B5901259EFCB00DF9AD984BDEFFB4FB08320F10812AE918A7250D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 7508, Parent PID: 7432COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	53.8%
Total number of Nodes:	52
Total number of Limit Nodes:	3

Executed Functions

Function 00435E60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 155
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00435FC5
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00436037

Strings

,, xrefs: 00435F9C
@, xrefs: 00435F0D

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,$@
API String ID: 292159236-1227015840
Opcode ID: be3b3e9873d241bb9a5e328b9f5e252206f9176f56b74984ea1d1e833466e96c
Instruction ID: 8919844663d06bf98667003f7ef23dc50fd4aa2d115e18cc00e89ab8bd3f9812
Opcode Fuzzy Hash: be3b3e9873d241bb9a5e328b9f5e252206f9176f56b74984ea1d1e833466e96c
Instruction Fuzzy Hash: 4051CEB21083049FD310DF14CC45B5BBBE4EF89368F155A1DF5A49B2E0E7B8C9088B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004329E6 Relevance: 6.2, APIs: 4, Instructions: 155
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00432A85
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00432AD0
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00432B6E
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00432BB9

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: bc28c0df7d0b55daffa4dc9089c3743cf1908f4009a3c79951bed6f22fae4781
Instruction ID: 84455ddf7374472f79f1133e9b5a10f67b6fbb7675e7473383fb3045bd6e1df6
Opcode Fuzzy Hash: bc28c0df7d0b55daffa4dc9089c3743cf1908f4009a3c79951bed6f22fae4781
Instruction Fuzzy Hash: B4513475250B008FD334CF14C995B17B7E4FB49314F144A2DE9A79BAA0D7B4F8098B98

Uniqueness

Uniqueness Score: -1.00%

Function 00433408 Relevance: 6.1, APIs: 4, Instructions: 123
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043345E
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004334AA
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043354B
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00433597

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 2a166a3e3ab8231cc7d3fcfae175cedda2ecd8b21da22f1dde343d1ee7fe0f56
Instruction ID: 0017d9a89ad9cda2ca2c4c24b04ef434f79b883090e13655b3ec1f739df1845d
Opcode Fuzzy Hash: 2a166a3e3ab8231cc7d3fcfae175cedda2ecd8b21da22f1dde343d1ee7fe0f56
Instruction Fuzzy Hash: 2E510276140B009FE760CF14C945B17B7F4FB49328F549A2CE5A69BAE0D7B4F5088B98

Uniqueness

Uniqueness Score: -1.00%

Function 00436230 Relevance: 3.1, APIs: 2, Instructions: 94
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004362D5
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 0043632D

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 1ebe170525f78fccaf22af707421529a7bbdd90d4f7660a3a07d3b9354870fbd
Instruction ID: 152f3d0b3d9842b087a7e3706b0be60fb38a51283ea802faa9e215f8336c57be
Opcode Fuzzy Hash: 1ebe170525f78fccaf22af707421529a7bbdd90d4f7660a3a07d3b9354870fbd
Instruction Fuzzy Hash: CE318F75108305AFE710CF04D845B5FBBE8EB89324F05862DF9A5973D0D7B49908CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004335B2 Relevance: 3.1, APIs: 2, Instructions: 89
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043345E
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004334AA

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: aa5cf278277a01a662d27d819bf63a8c07f2805fe0c7ec73872161be02451b8f
Instruction ID: 69fc45ef7c38b0d9457e16cb6c69ba31f2009a2f15333d95a559ec4dc14b0f60
Opcode Fuzzy Hash: aa5cf278277a01a662d27d819bf63a8c07f2805fe0c7ec73872161be02451b8f
Instruction Fuzzy Hash: C1316775140B008FE724CF14C959B27B7F0FB49319F549A1DE5A29BBA0D7B8E908CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004144F0 Relevance: 3.1, APIs: 2, Instructions: 77
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00414591
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004145D5

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: fdd592a9e456b9c7423b0176e797abab650c5c30462cdc1f3ef0e3ad2ed3975d
Instruction ID: ec75a103f360b563d19a6fca5ae2e9b7984b14fde984ad99cfb7fc31cffa6f2f
Opcode Fuzzy Hash: fdd592a9e456b9c7423b0176e797abab650c5c30462cdc1f3ef0e3ad2ed3975d
Instruction Fuzzy Hash: B221AC75108314AFD310CF08D884B5FBBE8EBC5764F118A2DF9A59B7D0D77498488B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004331CB Relevance: 1.6, APIs: 1, Instructions: 53
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,000000FF,00000000,00000000,00000000,00000000,?,00000002,00000000,00000002), ref: 0043324C

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 640f2d58c1588323bc007ef87cc456b506f6ebd56a111fdd93dadcacdaea19ca
Instruction ID: b501f31da52e79ac5c63903637e9361ce37232a5c8d31df9b842c31dc7f44444
Opcode Fuzzy Hash: 640f2d58c1588323bc007ef87cc456b506f6ebd56a111fdd93dadcacdaea19ca
Instruction Fuzzy Hash: 6A011A34380700BFE7359F10DC92F1277E6BB49724F604618F6552B6E2C3B6B8108B18

Uniqueness

Uniqueness Score: -1.00%

Function 00433161 Relevance: 1.5, APIs: 1, Instructions: 17
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL(?,00000004), ref: 0043317A

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: OpenSection
String ID:
API String ID: 1950954290-0
Opcode ID: 1f4ea6634ba392dff5259239aab9742a4efe955c2e8d321feed240c06a932cee
Instruction ID: 3e41719b09b3439fb0e8128554433515542cb534244fecdbfbe48297e1d390a7
Opcode Fuzzy Hash: 1f4ea6634ba392dff5259239aab9742a4efe955c2e8d321feed240c06a932cee
Instruction Fuzzy Hash: 70D05B7C25054097C658D715FC01E2133A2B785319F541038F646D75A2D9B1B811CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0043328A Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 004332A2

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 57a5482c843d765ccbbbf39b35ee3bb94c995176085ea8fe826db78a9b25590d
Instruction ID: 46d3b92d9808e40647c753e4d78c7be0f3ff87c0c70ad8cc7f733809d9c11a20
Opcode Fuzzy Hash: 57a5482c843d765ccbbbf39b35ee3bb94c995176085ea8fe826db78a9b25590d
Instruction Fuzzy Hash: 99E012796506008BC74CDF69EC5092677E1FB4B318750043CE08683772DA72A820DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00408E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00408ED9

Strings

eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance, xrefs: 00408E96

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance
API String ID: 621844428-3721107060
Opcode ID: 9c823a8f653a14b5ea4a883027bbe296e214b1790136305cd9d14a8ed8f07a55
Instruction ID: 7a0fa1e7a3715d3eda5166a1f15dc090710409219edd2166348aa862e281d4dd
Opcode Fuzzy Hash: 9c823a8f653a14b5ea4a883027bbe296e214b1790136305cd9d14a8ed8f07a55
Instruction Fuzzy Hash: EC01D6B1C18600C6C6507B75DB0676ABA986F60329F20053FE9C2F11C1EE3C445756EF

Uniqueness

Uniqueness Score: -1.00%

Function 00434148 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 004341ED

Strings

\mrs, xrefs: 0043418E

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID: \mrs
API String ID: 1279760036-882183303
Opcode ID: ea9f3e2f1dcd2f86c0d82d84327f86d17200689af8c71dc8e4b05cb328cfdd3c
Instruction ID: da8e6fb871766a4334ee8a8b13312953f12911acf5d5b0a7422e6d879ecc3ece
Opcode Fuzzy Hash: ea9f3e2f1dcd2f86c0d82d84327f86d17200689af8c71dc8e4b05cb328cfdd3c
Instruction Fuzzy Hash: 9B310C75240B008BD728CF29D89571AB7E2FBC9309F554A2CD5A29BB95C774F8058B84

Uniqueness

Uniqueness Score: -1.00%

Function 00433047 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 004330ED

Strings

AFG, xrefs: 00433071

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: AFG
API String ID: 1029625771-345823793
Opcode ID: a9be070ae88746e8f37b6584014072837253167561891840a1d9fbc8e1c9cb98
Instruction ID: 3624426b3e35b88404330f29ef87bc44228b5a068a5f93c1d631435f7abf264d
Opcode Fuzzy Hash: a9be070ae88746e8f37b6584014072837253167561891840a1d9fbc8e1c9cb98
Instruction Fuzzy Hash: 862127B42007028FC718CF15D8A4B26BBB2FB86324F26CA4DC4564BB45C779E581CF88

Uniqueness

Uniqueness Score: -1.00%

Function 004315FB Relevance: 1.5, APIs: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00431697

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7b61ac64b3c4ebec0b64a1f3f1e3564fc8a4aa071343e37356646381a2276e29
Instruction ID: 1caba5081e76a5090500c75baa42c91faaa74cb5bb8d7f7be022b3d47655f660
Opcode Fuzzy Hash: 7b61ac64b3c4ebec0b64a1f3f1e3564fc8a4aa071343e37356646381a2276e29
Instruction Fuzzy Hash: 0C112E741083409FD708CF14C46472BBBE1EBC9318F54891CE4A947795C775D519CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00434A80 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNELBASE(00408EC9), ref: 00434A98

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c95a907cf872e24ac0ab2eaa20b780025ee4c98473edfe3b740f2e7727befd8f
Instruction ID: e00c30fd23c69428d05bc186d188bafc312ee2ac1d53b33a4734713f9fc3f9f9
Opcode Fuzzy Hash: c95a907cf872e24ac0ab2eaa20b780025ee4c98473edfe3b740f2e7727befd8f
Instruction Fuzzy Hash: 12D0927A541501AFDF016BA1FD4AA093B29BBCA345B0490B2B106E1572EB759C10DF0C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004294C0 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042950B
GetClipboardData.USER32 ref: 0042952A
GlobalLock.KERNEL32 ref: 0042954B
GlobalUnlock.KERNEL32 ref: 00429662
CloseClipboard.USER32 ref: 0042966A

Strings

*, xrefs: 004295A2
W, xrefs: 004295A6
%, xrefs: 004295AA
>, xrefs: 004295B6
V, xrefs: 0042959E
#, xrefs: 004295BA
8, xrefs: 004295BE
-, xrefs: 00429592
w, xrefs: 004295B2
L, xrefs: 004295AE
+, xrefs: 00429596
#, xrefs: 0042959A

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID: #$#$%$*$+$-$8$>$L$V$W$w
API String ID: 1006321803-144441113
Opcode ID: 43617eadacacb931a2ae4b711999eae24f76f1a81796408b4adec7e94ba31b59
Instruction ID: 1c22dcfa3161527e767195b50680ed167b4dbd01ea6606696096064df506ae20
Opcode Fuzzy Hash: 43617eadacacb931a2ae4b711999eae24f76f1a81796408b4adec7e94ba31b59
Instruction Fuzzy Hash: 2B51A2B1608740CFD711DF28D484712BBF0EF15314F14869AD89A8F795C379E845CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00409930 Relevance: 14.2, Strings: 11, Instructions: 445COMMON

Download Yara Rule

Strings

k|{H, xrefs: 00409C10
L!G#, xrefs: 00409E66
BY?[, xrefs: 00409E7C
}E~G, xrefs: 00409EC9
e9u;, xrefs: 00409E24
0, xrefs: 0040998D
Cpxw, xrefs: 00409C48
}s, xrefs: 00409DDC
j%s', xrefs: 00409E71
Fy, xrefs: 00409ED4
Kdy~, xrefs: 00409C18

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$BY?[$Cpxw$Fy$Kdy~$L!G#$e9u;$j%s'$k|{H$}E~G$}s
API String ID: 0-23555875
Opcode ID: 551b28acf7250366f4d121c78da1475c18cb5348c294d36f8836811621969651
Instruction ID: 7d9e46ac243aa4183a85515a8c3f283cd501e81e5f1ed36d1b33fcf5162260c8
Opcode Fuzzy Hash: 551b28acf7250366f4d121c78da1475c18cb5348c294d36f8836811621969651
Instruction Fuzzy Hash: 68021FB06083818BE324CF15C4A4B5FBBE1BBC6348F144D2DE5D58B292D77AD909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004225A4 Relevance: 13.1, APIs: 4, Strings: 3, Instructions: 807nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00422CF6
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00422D49

Strings

b@R7, xrefs: 00423033
_[GF, xrefs: 00422A81
CuH, xrefs: 004231C2

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: CuH$_[GF$b@R7
API String ID: 292159236-2166977767
Opcode ID: 66716a6068e0304e37c689417559216ab7d88b0253840a75b044e0f0a94d7ac6
Instruction ID: 3cb1844d90f6007c74d4dd9d7f1f25511aa284325e8158f5ec8e7ed6a92978a0
Opcode Fuzzy Hash: 66716a6068e0304e37c689417559216ab7d88b0253840a75b044e0f0a94d7ac6
Instruction Fuzzy Hash: 9352F070204B518BD335CF29C5907A3BBE1BF46304F548A6ED4E78BB91D7B8A809CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041983E Relevance: 12.8, APIs: 8, Instructions: 843COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a840b134320a7dcd642f1850dc27d7720e35b7fcae863bcbfedd385514f1eb
Instruction ID: 5abe41cee191bf52c85143cb7caeed0f153d087877ece44c2cd3adf95024b674
Opcode Fuzzy Hash: 84a840b134320a7dcd642f1850dc27d7720e35b7fcae863bcbfedd385514f1eb
Instruction Fuzzy Hash: 9342E036609341DFD724CF28D8507AAB3E5FB89314F198A2DE4A9973D0D734E844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00432100 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 414nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00100000,00003000,00000004), ref: 00432157
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00003000,00000040), ref: 00432260
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004322BF
NtFreeVirtualMemory.NTDLL(000000FF,00010000,000000B8,00008000), ref: 00432316
NtAllocateVirtualMemory.NTDLL(000000FF,00010000,00000000,?,00003000,00000004), ref: 00432340
NtFreeVirtualMemory.NTDLL(000000FF,00010000,?,00008000), ref: 0043268E

Strings

\mrs, xrefs: 004324B8

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: \mrs
API String ID: 292159236-882183303
Opcode ID: e4b7b2e8b087f194c6df92afdbea53f80e3a1c383975f7e7bb8b0c7d58651c76
Instruction ID: c8ce06bed3cc8b4c08c02377ceeb406f0fc67a94a6ccfccdb79493ec4ac0ad1c
Opcode Fuzzy Hash: e4b7b2e8b087f194c6df92afdbea53f80e3a1c383975f7e7bb8b0c7d58651c76
Instruction Fuzzy Hash: 7BF199721083519FD720CF28C840B5FBBE0BB89314F148A2EF9A59B391D7B9D905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB4B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042ABFC
GetSystemMetrics.USER32 ref: 0042AC0D
DeleteObject.GDI32 ref: 0042AC75
SelectObject.GDI32 ref: 0042ACCF
SelectObject.GDI32 ref: 0042AD60
DeleteObject.GDI32 ref: 0042AD9D

Strings

, xrefs: 0042AD2D

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 1cb2098a5ed750cc60d491d4840e1f427e82c7489d5ce4f7974c7243bfb9b279
Instruction ID: 6db4068e33c5193df88fec3ab3fabe94e4e4a6d97a21b65ff78d34872f7e2a81
Opcode Fuzzy Hash: 1cb2098a5ed750cc60d491d4840e1f427e82c7489d5ce4f7974c7243bfb9b279
Instruction Fuzzy Hash: 39A16CB4605B008FD364EF28D985A26BBF1FB49700B109A6DE99AC7760D731F844CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00436E00 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 300nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00436EAC
NtFreeVirtualMemory.NTDLL(000000FF,00000000,?,00008000), ref: 00436F0A
NtAllocateVirtualMemory.NTDLL(000000FF,0000BA00,00000000,?,00003000,00000040), ref: 00436FCB
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00437028

Strings

R-,T, xrefs: 00436F50

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: R-,T
API String ID: 292159236-635581381
Opcode ID: b1f399bdec1cf103cf95c4fdb5be251543dbe4707dcf0004858ea36a99674a23
Instruction ID: ce43a834b771764ca244059a86bf0504636317143f87745a2d68456237155254
Opcode Fuzzy Hash: b1f399bdec1cf103cf95c4fdb5be251543dbe4707dcf0004858ea36a99674a23
Instruction Fuzzy Hash: 2BB157762083119FD724CF18C840A1BB7E6FFC8714F158A2DE9A59B3A0D778E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004316C0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 263nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00431774
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004317CB
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043192C
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00431983

Strings

\mrs, xrefs: 00431825

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: \mrs
API String ID: 292159236-882183303
Opcode ID: 75ee18df55d72b55819208765a821dfb57845b1f80966e892df44043ecafda2b
Instruction ID: 40278c49572400491f786d5b1b3d56b46c03dd003bf2edaa73dda23b4b11cf02
Opcode Fuzzy Hash: 75ee18df55d72b55819208765a821dfb57845b1f80966e892df44043ecafda2b
Instruction Fuzzy Hash: B19157B51083409FD310CF18C854B5BBBE5EBC9718F148A2DF9A5AB390C774D805CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00431A10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 237nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00431AC5
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00431B17
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000040), ref: 00431C6F
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00431CBD

Strings

\mrs, xrefs: 00431B6D

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: \mrs
API String ID: 292159236-882183303
Opcode ID: 38db8190732ca0bd92d0aed27df4ee609cb981946253b70108ed4e5314fcfbbc
Instruction ID: a2010227f9080237fec712df2993c1f15bfb7d0c1da527c990d7af781c085da3
Opcode Fuzzy Hash: 38db8190732ca0bd92d0aed27df4ee609cb981946253b70108ed4e5314fcfbbc
Instruction Fuzzy Hash: 088165752483009FE300CF18C894B1BBBE5FB89714F145A2DF9A59B3A0D775D909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00419290 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 355nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004195F9
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00419642

Strings

:y){, xrefs: 004192F6
~q, xrefs: 004192B6

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: :y){$~q
API String ID: 292159236-1682434157
Opcode ID: 24287b8a51d430d56732fb172836f1b23e01550b98628d808725b39816a6b97d
Instruction ID: 9d1fc147718c2075adb8cd942544432b20875a8fe4ce7acf22032cd6fd66e189
Opcode Fuzzy Hash: 24287b8a51d430d56732fb172836f1b23e01550b98628d808725b39816a6b97d
Instruction Fuzzy Hash: CCA1BDB25083159BD710DF18C8A2BABB7E4FF85314F04492EE9959B391E338DD44C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABBC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041AD6C
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041ADC2

Strings

~w, xrefs: 0041AE3E
vp, xrefs: 0041AE56

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: vp$~w
API String ID: 292159236-2373924268
Opcode ID: 8530b514cb865131fcce381130a1844415a29680ac4096c29acf3e3b51d80c79
Instruction ID: f71e828c5e4472044e65a4d0cd1af1edb2ac16e38ab61581de118205b43d6389
Opcode Fuzzy Hash: 8530b514cb865131fcce381130a1844415a29680ac4096c29acf3e3b51d80c79
Instruction Fuzzy Hash: 6F5113B410D3819FE320CF04C884B9FBBE5FB85748F504A2DE5A59B290D77495098F9B

Uniqueness

Uniqueness Score: -1.00%

Function 0041520E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004153DC
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0041542B

Strings

(?z, xrefs: 0041543F
(?z, xrefs: 00415261

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: (?z$(?z
API String ID: 292159236-62014210
Opcode ID: 2850033e6ed14daf08b1f0560f224ab487445cf717e5e5a81c3a6b7d64b3d946
Instruction ID: bc43932f252fc9bd93004ff39696f16b57995afc69153c07bf54ce43e6a6d8b4
Opcode Fuzzy Hash: 2850033e6ed14daf08b1f0560f224ab487445cf717e5e5a81c3a6b7d64b3d946
Instruction Fuzzy Hash: 1C3178756183419FD314CF18D885B5BB7E4BB85704F149A2CF5A9DB3A0DB74D804CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00436A60 Relevance: 6.3, APIs: 4, Instructions: 293nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00436B08
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00436B65
NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 00436C26
NtFreeVirtualMemory.NTDLL(000000FF,D2FF0000,00000010,00008000), ref: 00436C7F

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 1548943d33d520e5d1a982b553b38242c862953f5e2b4f59968f6de9b2f6c2a5
Instruction ID: 3f68a9878cd3829920f01541ca85b18ada18e063a2d7d6dc3ddbaa88b56dc56a
Opcode Fuzzy Hash: 1548943d33d520e5d1a982b553b38242c862953f5e2b4f59968f6de9b2f6c2a5
Instruction Fuzzy Hash: DFB18A75208316AFD710CF18C880B2BB7E5FF89354F158A2DE9949B3A0D774E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00436740 Relevance: 6.3, APIs: 4, Instructions: 255nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004367E5
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00436843
NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 0043690A
NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000000,00008000), ref: 00436967

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: c74d77d1ece2ae10a7b6621d36481cab2a0a5318fbd1d033415b2a2ec05f44a7
Instruction ID: 06c3224bfdd60b96307f1d2912c73f361d79b940deb979b6f242a3c2ad20fa94
Opcode Fuzzy Hash: c74d77d1ece2ae10a7b6621d36481cab2a0a5318fbd1d033415b2a2ec05f44a7
Instruction Fuzzy Hash: 41919C75208312AFD710DF18C880B1FB7E5EF89364F158A2DF9949B3A0D7789905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004371D0 Relevance: 6.3, APIs: 4, Instructions: 251nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004372B9
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00437317
NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 004373D9
NtFreeVirtualMemory.NTDLL(000000FF,D2FF0000,00000010,00008000), ref: 00437433

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 7d1a3f8f4b01bd3f43d226e4c26a817b4078b0cb8fdc44005604385b0ed1c0cc
Instruction ID: 108c7e70a37d8f213dc907a15cc487d772c04e446ebbc1d5c70ee4a758399861
Opcode Fuzzy Hash: 7d1a3f8f4b01bd3f43d226e4c26a817b4078b0cb8fdc44005604385b0ed1c0cc
Instruction Fuzzy Hash: 26914EB1208315AFD714CF14D841B2BBBE4FB89314F048A2DF9A59B391D774E805CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004167A0 Relevance: 6.2, APIs: 4, Instructions: 168nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000040), ref: 00416854
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 004168B0

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 025ed8e8ba3c08ef6c33ec3b8d328b4e69256dbc9b699c2f50271227dfcf64ae
Instruction ID: b0f8f4a068109825ff29421ec68445a3c91c1f314a49e64f0cc64ba9140a3fef
Opcode Fuzzy Hash: 025ed8e8ba3c08ef6c33ec3b8d328b4e69256dbc9b699c2f50271227dfcf64ae
Instruction Fuzzy Hash: D35179B52483409FE314CF14D845B5BB7E9BBC9318F114A2DF6A59B3A0D7B4D808CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00410A37 Relevance: 6.1, APIs: 4, Instructions: 138nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00410A8B
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00410ADA
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00410BA4
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00410BF6

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: f980eacf6cae97784a7a35dfaf23c448f65cfcafd2849d9d4896c47f9455c989
Instruction ID: 7085e4e4b7d8d9430ebde16d73d692029d9640cb0720cc7b0147fbb46af897d3
Opcode Fuzzy Hash: f980eacf6cae97784a7a35dfaf23c448f65cfcafd2849d9d4896c47f9455c989
Instruction Fuzzy Hash: 06512376100B108FD321CF64C885B97B7F5FB48314F144A2DE6AA9BAA0D775B844CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041ACB8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041AFB8
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041B017

Strings

wB, xrefs: 0041B1C6

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: wB
API String ID: 292159236-74961864
Opcode ID: e14b8cfc9a89516eb590d485b6ad8915c3f9517a8865353a4e60c3af26a34f89
Instruction ID: dd7f1a9ae31a7a9242dce100f639a5f4d3043ea5972395377af61a982efa388a
Opcode Fuzzy Hash: e14b8cfc9a89516eb590d485b6ad8915c3f9517a8865353a4e60c3af26a34f89
Instruction Fuzzy Hash: 846134B51083819BD724CF04C894B9FBBE1FB85344F148E2DE4E99B3A0C7799549CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00436050 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004361B5
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00436212

Strings

@, xrefs: 004360FD

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: @
API String ID: 292159236-2766056989
Opcode ID: c87d125e0cfb517eb5545796025c0010d811e7ca040a57e7c9c3eb797839c9fb
Instruction ID: fe6fe27977001e7cedc0c768e725234466ef9f5805c9b938f0c2e73db5e3573f
Opcode Fuzzy Hash: c87d125e0cfb517eb5545796025c0010d811e7ca040a57e7c9c3eb797839c9fb
Instruction Fuzzy Hash: AB4180B61083059FD700CF54C885B1BB7E4EF89368F169A1DF5A59B3A0E378C904CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004365C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004366D5
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00436727

Strings

@, xrefs: 0043661F

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: @
API String ID: 292159236-2766056989
Opcode ID: 698eec9241d38db8ddd066a6dd138bc31b3a457852fbc230b103760f64d61ae9
Instruction ID: 7815a72bb7cfa4d854a0d98d3e69f2795e75ee3084435ef049e8fdbc34d62cd6
Opcode Fuzzy Hash: 698eec9241d38db8ddd066a6dd138bc31b3a457852fbc230b103760f64d61ae9
Instruction Fuzzy Hash: 3F418CB5508311AFD310CF14C844B5BBBE8FFC9368F059A2CF9A49B790D77499088B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00436360 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00436414
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00436473

Strings

$, xrefs: 004363EB

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: 7f39dd38122c5d6a730eb05778b4e54b01fc5c20d208759b9581c250a094002d
Instruction ID: f899ac67fece5d122f59f90cac6245d623a6ebb41334907201be203b79ce9f9b
Opcode Fuzzy Hash: 7f39dd38122c5d6a730eb05778b4e54b01fc5c20d208759b9581c250a094002d
Instruction Fuzzy Hash: F8318F75248315AFE710CF14DC41B1FBBE8EB89714F118A2DFAA4A77D0D77498048B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00436490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00436544
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 004365A3

Strings

$, xrefs: 0043651B

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: 5bafbc32f3f51ab8af29e0f488e780051b0f59f3bf2a123c9d9c88bafe98ca34
Instruction ID: c1159c07e1305400ac055225198fa9760fc2ac602f618e29b07dd05c80cc7559
Opcode Fuzzy Hash: 5bafbc32f3f51ab8af29e0f488e780051b0f59f3bf2a123c9d9c88bafe98ca34
Instruction Fuzzy Hash: 23318D75648315AFD310CF14DC41B1FB7E8EB89714F118A2DFAA4AB3D0D77598088B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00419060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00419101
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00419168

Strings

,, xrefs: 004190D8

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,
API String ID: 292159236-3772416878
Opcode ID: 716c91e9b3047c492bf1ed3504f6b45b0684989b86eefb4a2065fc6d9cec33e3
Instruction ID: b84dbf16a39f3d74d29536ebeccc2c986b2dc0c907bd8dc49f01886a77e1c593
Opcode Fuzzy Hash: 716c91e9b3047c492bf1ed3504f6b45b0684989b86eefb4a2065fc6d9cec33e3
Instruction Fuzzy Hash: A1314975108304AFE310CF14DC44B5FBBE9FB89754F148A2DFAA497390D37598448B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00417270 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

Et, xrefs: 004172AA
{|, xrefs: 004172BA
sC, xrefs: 004172B2

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Et$sC${|
API String ID: 0-1114324604
Opcode ID: 07444530de06c55f882d4affd117dcb2bab30a31311aa56c2ae6e3dffcb21ac5
Instruction ID: 3de3f1f0f8e4fbb0d8c03d4cb870f58e7b4986a6ed178418f094574228c0fc58
Opcode Fuzzy Hash: 07444530de06c55f882d4affd117dcb2bab30a31311aa56c2ae6e3dffcb21ac5
Instruction Fuzzy Hash: 75C1FBB05083218BD728CF14C8A17ABB7F1FF91368F048A1DE8954B390E779A945CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 004094A0 Relevance: 4.1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

<)1,, xrefs: 0040982D
$), xrefs: 0040951C
9$01, xrefs: 00409835

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $)$9$01$<)1,
API String ID: 0-248219532
Opcode ID: e7b80eb2262bf71e8ef823d51209954624898c0f51cf40a2a069d753970e283f
Instruction ID: e984f2d086ec23198eb5d5200a4407a47e0ffbe4085c5c58b06d7b2de70b61d0
Opcode Fuzzy Hash: e7b80eb2262bf71e8ef823d51209954624898c0f51cf40a2a069d753970e283f
Instruction Fuzzy Hash: ABC157B15083818BD325CF19C4507ABBBE1BFC6314F148A6DE4E59B392C779890ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 0042F920 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000000D,7BAD7941,00000008,?), ref: 0042FA06

Strings

WHRy, xrefs: 0042FA18

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: WHRy
API String ID: 237503144-2823012913
Opcode ID: 6d169666727f9f80caa70b14d3682104204e7b54d389c15c3c64eb6d7984ba28
Instruction ID: dfa09c0b6657038d8d8d417b3de940840f465c2ef1969660454ddc09fe80325c
Opcode Fuzzy Hash: 6d169666727f9f80caa70b14d3682104204e7b54d389c15c3c64eb6d7984ba28
Instruction Fuzzy Hash: C02139726183919FC354CF18D490B6BBBF5EB86748F40592DF9919B280D731E9088B96

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFB0 Relevance: 3.3, APIs: 2, Instructions: 305nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0041E05C
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041E0B0

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 46f5f588d342782e4eb23f1617a10b3dea340cbb3d931128dc4a4aff47e2a21c
Instruction ID: 1a24e6d032f52eca1be2b5fe647ae5090cf3ed635919255bb602f7bc564eb98a
Opcode Fuzzy Hash: 46f5f588d342782e4eb23f1617a10b3dea340cbb3d931128dc4a4aff47e2a21c
Instruction Fuzzy Hash: CCA133B6A083019BE700CF16C8417ABB7E5EF85354F184A2EF8D587391E738D985C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004222E6 Relevance: 3.2, APIs: 2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f7b5eff4ad0f4bc89f0df0d3068b8cc51db71d6205565a8c6312e85787402b
Instruction ID: eda2e1da906262592f68c3c1084e0f438eda9e8b6966f67342959e9451f9410d
Opcode Fuzzy Hash: 93f7b5eff4ad0f4bc89f0df0d3068b8cc51db71d6205565a8c6312e85787402b
Instruction Fuzzy Hash: 5B518D30148B919FD326CF38C850BA6BBF0BF46304F5849AED5E6CB692D7796809CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004116A7 Relevance: 3.1, APIs: 2, Instructions: 124nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00410A8B
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00410ADA

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: a70be603e470c223609d8866f76b1a604d31c82954c5c9e3218073a6d7fb0f5a
Instruction ID: 33c7aa6e00f3c3bac49d9f0418fb6b56b905cf750bd4524f5a64f225cfeea72e
Opcode Fuzzy Hash: a70be603e470c223609d8866f76b1a604d31c82954c5c9e3218073a6d7fb0f5a
Instruction Fuzzy Hash: B1415875240B008FD721CF64C881B97B7E1FB49308F04492DE6AA8BBA0D775B884CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00415845 Relevance: 3.1, APIs: 2, Instructions: 94nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004158E8
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00415940

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 9d4e7311ac1a82c571c4f406418959ae0dc9b4559076dd1f6ca8a4649fbd7fbe
Instruction ID: bcd1bfd9ffe197705f1b3e135b0092326062c6fd076863634ac4d60eaa136b27
Opcode Fuzzy Hash: 9d4e7311ac1a82c571c4f406418959ae0dc9b4559076dd1f6ca8a4649fbd7fbe
Instruction Fuzzy Hash: B7311575108345EFD744CF04D881B9BBBE4FB88318F509A2EF9A5972A0C770D845CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00431EC0 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00431F85
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00431FCF

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 8d3ca9f5f759c441b7cbae33ca4121ad006f8a851516515c0521a0ef17a251d7
Instruction ID: 7f3815035bc4ed8b375fe1f46fc3cc466423e899d5b26c2a2aa9295ddeaad95a
Opcode Fuzzy Hash: 8d3ca9f5f759c441b7cbae33ca4121ad006f8a851516515c0521a0ef17a251d7
Instruction Fuzzy Hash: 0331C1712083009FD310CF44C885B1F7BE4EB85398F15862DF5A48B7E0C7799849CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00414639 Relevance: 3.1, APIs: 2, Instructions: 92nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00414B17
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00414B5B

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 5e07f48f11aaef386efdcdbe51f62d1942e5f72b4b279f122d921e5f37b116e7
Instruction ID: c8664740b9ea6f7ce559daf3dee0801b4b6608009c76fc212164c2a3753deaba
Opcode Fuzzy Hash: 5e07f48f11aaef386efdcdbe51f62d1942e5f72b4b279f122d921e5f37b116e7
Instruction Fuzzy Hash: 62217AB5D441089FDB04CF94E885BEEB7B4FF89308F148229E921A7790D7786846CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC35 Relevance: 3.1, APIs: 2, Instructions: 89nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041CCDC
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041CD2F

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: e3dc52d6f64ee3dc5874382a5f9f5a8576eec821ba24ebc1e556525c7b59df38
Instruction ID: 7ce55586b22b1b34dcb434da375e3ad585583d592faf931fef38008dea663768
Opcode Fuzzy Hash: e3dc52d6f64ee3dc5874382a5f9f5a8576eec821ba24ebc1e556525c7b59df38
Instruction Fuzzy Hash: 83210A75240B408FE724CF24C845BA7B7E4FB46304F445A2DE5FB9BA90DB746844CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00418221 Relevance: 3.1, APIs: 2, Instructions: 88nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004182C9
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041830C

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 1800ccd98a493528ed3e0aaa5f4bbcb7da0f55d7b41e5f37f5da20b3a4451384
Instruction ID: 809cbc2d6080e377e143ffaf2f5ef56c4b347c32ce75cb94befc15110382806c
Opcode Fuzzy Hash: 1800ccd98a493528ed3e0aaa5f4bbcb7da0f55d7b41e5f37f5da20b3a4451384
Instruction Fuzzy Hash: 74315976A506198FDB04CFA8D895BEE7BB4FB59314F144128E522FB390C774A904CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00417805 Relevance: 3.1, APIs: 2, Instructions: 87nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041798B
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004179D4

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 50a27c6599ce91c3890ca4e62ea32fa2975285621d959c110539d4f952464cbe
Instruction ID: 6e618c92c400dee619a68786d46a82c2b397601bda41eda4fb1e3147df4a1729
Opcode Fuzzy Hash: 50a27c6599ce91c3890ca4e62ea32fa2975285621d959c110539d4f952464cbe
Instruction Fuzzy Hash: 693176B52483408FE304CF08D885B5BBBE4FB89308F144A2CF6A69B390D775D905CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E380 Relevance: 3.1, APIs: 2, Instructions: 85nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0041E42F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041E47D

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 3de5ed2d280964c57a914cc52774cd29fc14166799dc75f3784d0137ac2822eb
Instruction ID: 814783848ec30631febb9c0dfdac4ebefb71f6c4de03a47edaadeb02568d1a91
Opcode Fuzzy Hash: 3de5ed2d280964c57a914cc52774cd29fc14166799dc75f3784d0137ac2822eb
Instruction Fuzzy Hash: 9321BB75108304AFD310DF09D840B5FBBE9EBC5364F014A28F9A49B3D0D7B598498BDA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A690 Relevance: 3.1, APIs: 2, Instructions: 85nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0041A73F
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041A78F

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: ee986e7a9b1271b2a07216c7a8d9cb43d8c1812717e6be3174858bb44e7eae04
Instruction ID: 532079d56a7c07c3c5a82a487d755c1b45d4933d2feebad57c87643e8528661e
Opcode Fuzzy Hash: ee986e7a9b1271b2a07216c7a8d9cb43d8c1812717e6be3174858bb44e7eae04
Instruction Fuzzy Hash: 74218B75208314AFD300CF18D880B5FBBE5EBC5364F118A29F9A49B7A0D7719C498B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041FAE9 Relevance: 3.1, APIs: 2, Instructions: 85nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041FB91
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041FBD7

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 68a63b265ae5a69dde7784bf66520590ef51fd4f98334a7d6da866211dccaa2a
Instruction ID: f78e2e455fe5ec2ee329020e754e5695429d1ecdbc3d5863a2f9c4a4870185f9
Opcode Fuzzy Hash: 68a63b265ae5a69dde7784bf66520590ef51fd4f98334a7d6da866211dccaa2a
Instruction Fuzzy Hash: FE214775144B008FD324CF24D851BA7B7E9BB49304F108A2DD5AA9BBA0D774F909CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041192A Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00411A9C
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00411B06

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: cfcdd5b464c06958174747a2c44fd3b3531891281378083c1e7798d089f4847b
Instruction ID: ffdb1795192d1f4a33ffb60f0491378013900f8ca9a15c21998f86b6bd9c1612
Opcode Fuzzy Hash: cfcdd5b464c06958174747a2c44fd3b3531891281378083c1e7798d089f4847b
Instruction Fuzzy Hash: 2D316775140B109FD321CF24C885BA6B7E5FB49314F140A2DE6AB9BBE0D7B4B844CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00431DB0 Relevance: 3.1, APIs: 2, Instructions: 81nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00431E55
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00431E9B

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: f651c17dc6159820f4dc0866b58b3bf5e4d7b91302a4cd748158176a46ed9132
Instruction ID: 61535701136e35986f08020a28348cff0466d217e74ff2ccc89a20c40e6911ce
Opcode Fuzzy Hash: f651c17dc6159820f4dc0866b58b3bf5e4d7b91302a4cd748158176a46ed9132
Instruction Fuzzy Hash: 8E21AFB51083059FE714CF04D845B5FBBE8FB85314F108A2DF9A59B7A0D7B59808CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042F810 Relevance: 3.1, APIs: 2, Instructions: 80nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0042F8B1
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 0042F90A

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: c67500576ff08bf5474584b32501971b62b95756158aa13ab650d7b865ded844
Instruction ID: b1d3b3e5e86eac88b72c63750be57288ad8f05899567b7f276fff8ac6243ea21
Opcode Fuzzy Hash: c67500576ff08bf5474584b32501971b62b95756158aa13ab650d7b865ded844
Instruction Fuzzy Hash: 51216B75208310AFD300CF14D844B1FBBF8EB8A764F518A2DFAA597390D77598488B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00431FF0 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00432095
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 004320EA

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 85e916e0ef64303975eb84fd24cecc52fd52a0357e9479a05dba38141d87618e
Instruction ID: a83100d3cd14dadc868fd5a22a58614bceca76901fd14c443212344daeb2c6ea
Opcode Fuzzy Hash: 85e916e0ef64303975eb84fd24cecc52fd52a0357e9479a05dba38141d87618e
Instruction Fuzzy Hash: 71218C75108314AFD314CF14D944B1FBBE8FB89754F008A2DFAA597390D7B59808CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAA0 Relevance: 3.1, APIs: 2, Instructions: 77nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041CB2E
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041CB7B

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 848dd705ac979136c63ae09fcba3ce9da238b4eaae071bd8abaf229fff6cc9b5
Instruction ID: 01257b13d8f0913e4ac5b8e0475ebaf4dcda075fd7b6ea2d13ec11299fcb2951
Opcode Fuzzy Hash: 848dd705ac979136c63ae09fcba3ce9da238b4eaae071bd8abaf229fff6cc9b5
Instruction Fuzzy Hash: 592104B5144B108FD734CF24C885B56B3F4FB49314F148A2DD6A697B90DB75B8098B98

Uniqueness

Uniqueness Score: -1.00%

Function 00414E82 Relevance: 3.1, APIs: 2, Instructions: 74nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00415306
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00415359

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 9a0b64ca4b2c1350d2a85868c6cfe03b962ad67743a1754ed90f278c398a5bd0
Instruction ID: 7d3d28c96ba61f4e76a2f89c800cc1869ebd98b9e2c1dd086f3d8deeb9960dcf
Opcode Fuzzy Hash: 9a0b64ca4b2c1350d2a85868c6cfe03b962ad67743a1754ed90f278c398a5bd0
Instruction Fuzzy Hash: 31214B75148340AFD764CF04D885B5BB7E4FB89308F109A2DF5A6C73A0C7749849CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00416BB7 Relevance: 3.1, APIs: 2, Instructions: 73nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000040), ref: 00416C54
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00416C9B

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 5522cda67323a504640923fe3a2b54b31de8ee8fcb8f738718d139bc6dd55386
Instruction ID: abc3397ac4d844e4be27d9a93093f4362a622c7b11aaca28566e4d46337bfc4c
Opcode Fuzzy Hash: 5522cda67323a504640923fe3a2b54b31de8ee8fcb8f738718d139bc6dd55386
Instruction Fuzzy Hash: 9A2169756083508FE300CF14D844B6BB7E8FBC9314F054A2DE9A59B7A1DB74D848CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042242C Relevance: 3.1, APIs: 2, Instructions: 64nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004224A9
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004224FB

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 97a11f723d9c1e0cd0263510edc6433e926a0f9fde46e4b220da2048b5a0fce4
Instruction ID: 6605afbc33645388bfa4b7525ad6323dd84d6d53d02e93134b10ff40c36b162c
Opcode Fuzzy Hash: 97a11f723d9c1e0cd0263510edc6433e926a0f9fde46e4b220da2048b5a0fce4
Instruction Fuzzy Hash: 28218776140B108FE321CF20C845B97BBF4BB05314F054A2DE6EACB6D1DBB1A408CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041624E Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

EK, xrefs: 0041657B
lm, xrefs: 0041641E

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: lm$EK
API String ID: 0-2159843012
Opcode ID: 0a3e4a5cf9452a08c05b2483c354a99a11d474aa3488b6cee8b948c8e07c9c08
Instruction ID: a36759d694e76a055ce3aaf255af7a043583e81cba307c871a65dc31c1da7af5
Opcode Fuzzy Hash: 0a3e4a5cf9452a08c05b2483c354a99a11d474aa3488b6cee8b948c8e07c9c08
Instruction Fuzzy Hash: 55C145B01083418BE724CF24C490B9BBBE1AF85358F250E1DF5A59B361D338D689CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004350C0 Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

rdF, xrefs: 00435154
Vyx{, xrefs: 00435118

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Vyx{$rdF
API String ID: 0-14885107
Opcode ID: 09af2929a0389c1a177a9919b756de842bdeae5f343bc1ebd5981f7ff69c4e40
Instruction ID: 42fcc138402cf161924e1808b6fbf56c0cbbf00d4d8edb0629b6df07aad2a770
Opcode Fuzzy Hash: 09af2929a0389c1a177a9919b756de842bdeae5f343bc1ebd5981f7ff69c4e40
Instruction Fuzzy Hash: 13115A745093409BD304CF18C590B1BBBE6FBCA749F149A1CE8D897355D738DA018F8A

Uniqueness

Uniqueness Score: -1.00%

Function 00411FF4 Relevance: 1.7, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

V4H, xrefs: 00412275

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: V4H
API String ID: 0-1415426373
Opcode ID: cb94ecc6ce6fd6d2ba2939abe14601baab049bcf8abb40c3d3ffea15dff55397
Instruction ID: caf1b3ec0bd6568e0281195401daecab40dd63260cc269e97e6358ee4890742b
Opcode Fuzzy Hash: cb94ecc6ce6fd6d2ba2939abe14601baab049bcf8abb40c3d3ffea15dff55397
Instruction Fuzzy Hash: 2DE19871500B018BD734CF29C980767B7F5BB4A308F040A2ED597C7A91EBB9E895CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420613 Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

::34, xrefs: 0042086C

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ::34
API String ID: 0-1123104282
Opcode ID: 3bea8447e9fc865d38055c6f1a84ceea0649c090f9c750539e75b0a53a1ae60a
Instruction ID: 3fea3aa3c73fe3f71f12a55eaba9c2f6509eadb3a0a88ba288dcff03199b6a42
Opcode Fuzzy Hash: 3bea8447e9fc865d38055c6f1a84ceea0649c090f9c750539e75b0a53a1ae60a
Instruction Fuzzy Hash: 05B1F771201B518BD3388F3985513A7FBE2BF92304F68965EC4E78B782D738A445CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004200C0 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

ECPA, xrefs: 004202D8

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ECPA
API String ID: 0-1144154328
Opcode ID: b0cf55e97f51dad8f89e01710394af98a5449b904d84d1f3ac78ebf5adfa1c0f
Instruction ID: bf91a3410379911cc975c7d90e9919ce42975f4022f1f3ff26eaaf91998a9a71
Opcode Fuzzy Hash: b0cf55e97f51dad8f89e01710394af98a5449b904d84d1f3ac78ebf5adfa1c0f
Instruction Fuzzy Hash: 4E91BF70244B928BD725CB35D4A47E3BBE2BF5A309F48896DC4EB0B386C7792405CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00433C76 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

3$H, xrefs: 00433E61

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 3$H
API String ID: 0-1350806239
Opcode ID: ecef57789d792b34684c86892a0995b7e5f4c201bf86f3c2f5c95e7202211bce
Instruction ID: a7cf2701f0ea668e959cf1b855e4a1afb16224d86e86a7ab9960bc945ead5e92
Opcode Fuzzy Hash: ecef57789d792b34684c86892a0995b7e5f4c201bf86f3c2f5c95e7202211bce
Instruction Fuzzy Hash: 8B517FF09106008FD728DF29D56AB22BBA5EB49324F15875DE8A68B7D5D334E804CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0041F920 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

rxE, xrefs: 0041FA5C

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: rxE
API String ID: 0-1231299533
Opcode ID: 14a937d306503192d10d95fe76ec165c158649cf7065e8652aa8b20692b0189c
Instruction ID: 9e3a573b47e88f82a571ae6f810fc4cba00ac39bfc08b1bbdb979a5a958005ff
Opcode Fuzzy Hash: 14a937d306503192d10d95fe76ec165c158649cf7065e8652aa8b20692b0189c
Instruction Fuzzy Hash: 8441B235610B108BC729CF28C8517ABB3F2EF95318B148A2DD8A69BB95D739E406C784

Uniqueness

Uniqueness Score: -1.00%

Function 0041544F Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

631=, xrefs: 004154B8

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 631=
API String ID: 0-1276930059
Opcode ID: 5e361b63e7a3d07bedc4b3c487d79281e5ee3847931cd6f7f3ecd2424ac67450
Instruction ID: 4afbab2b7a634526e147b256031ee6000e01c6308c349eeb7a7cf66a989206e5
Opcode Fuzzy Hash: 5e361b63e7a3d07bedc4b3c487d79281e5ee3847931cd6f7f3ecd2424ac67450
Instruction Fuzzy Hash: C51153715183419FC324CF14C494B6FBBF0AB82258F88982DF1849B360C779C8868B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00434BB3 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

\mrs, xrefs: 00434C08

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: \mrs
API String ID: 0-882183303
Opcode ID: 06195a51766590fa7df0bab47ad8176920468810a08a9caf1e35f900b3c06eae
Instruction ID: 4086b3e8efd6bc8adebb0649201b8945916db950275074902b7e22e020a058b2
Opcode Fuzzy Hash: 06195a51766590fa7df0bab47ad8176920468810a08a9caf1e35f900b3c06eae
Instruction Fuzzy Hash: 101139741083409FE708CF01D46476FBBB2EBC5328F21991DE8A917681C779D946CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 004060B0 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5e843d7543e6cd8ea0c6dc69c695d7b8cd6d55f974910343f50285b21fb32d
Instruction ID: b5cfab07f5de4e843bfd61719c23f4ed3a6afa5a9f8a5e26faf075e0c2b59347
Opcode Fuzzy Hash: 7c5e843d7543e6cd8ea0c6dc69c695d7b8cd6d55f974910343f50285b21fb32d
Instruction Fuzzy Hash: 9702D3356083408FD714CF18C88076BBBE2AFD9314F09886DE889DB396D739D955CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00414795 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2706f90a46799b4675ebc24c94e42fb15040bc9873d4ef48299b7eb9c5988c6
Instruction ID: a3271d155e0e17033c35296d2219f7196284aa862804f714172d3349136ae138
Opcode Fuzzy Hash: e2706f90a46799b4675ebc24c94e42fb15040bc9873d4ef48299b7eb9c5988c6
Instruction Fuzzy Hash: D351C1B49102059BCB24DF18CC93BBB77B4FF4A364F145109E956AB3D1E378A940C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 004131F7 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8376e4de58a7eb2eea3aa705c26067d1f89e07440ce763e61799532272071726
Instruction ID: 70356d7fa44e21b31219708582ea66004928fccd2beba45858bf3625ff4fbfe8
Opcode Fuzzy Hash: 8376e4de58a7eb2eea3aa705c26067d1f89e07440ce763e61799532272071726
Instruction Fuzzy Hash: D78145B0500B018BE324CF24C4947A7F7F1BF4A304F148A5DD9AA9B782D37AB985CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0042D8D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4ec43c65dfaf147c159b760be37f4e95520efd71fca5b1ec88a344bb3f966837
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4611C633F051E50EC3168D3C9400565BFA30AA7234FA943AAF4F89B2D6D6268DCA8359

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc53d70e44d618bca5650359f9af69415b6e5d41cd13793d19876309d14fde3
Instruction ID: 1a0b59d23cd93b1d542af5ef49736171c3e5a6047d87b067bf3a96ac2a6721f4
Opcode Fuzzy Hash: 4bc53d70e44d618bca5650359f9af69415b6e5d41cd13793d19876309d14fde3
Instruction Fuzzy Hash: E9211A74640B48AFD320DF25D881BD7B7A4BF0A348F84191CE4EA9B291C370B561CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041EBD1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a695d055a967659168b6de385886ee6b463133110f42e3a4b4798de6d6d8dd4
Instruction ID: 60b713794e87a4872b2b8844ec7a7a5841490454c4e21382718faa66027f6c28
Opcode Fuzzy Hash: 6a695d055a967659168b6de385886ee6b463133110f42e3a4b4798de6d6d8dd4
Instruction Fuzzy Hash: 4AF0963850CBC189CB27CF3A84506B2BBE1AF17345B1454DEC9D3DB693D20D944AD76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2044051f06bb029c9e823812dcc2e061d3b89e47936c5c72b85e7b0847b4fd87
Instruction ID: 507271870a67392c71754b1cc458eefa4646157bacb8f9b6bceb26d0fdaa40b8
Opcode Fuzzy Hash: 2044051f06bb029c9e823812dcc2e061d3b89e47936c5c72b85e7b0847b4fd87
Instruction Fuzzy Hash: 39D097A15083B00EC7184E3820E1433FBF4E847212B0811EFF0D1F3285C234EC0052AC

Uniqueness

Uniqueness Score: -1.00%

Function 0042759F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0cc817fc3f1f4c7cf9c46464750f43a674e38b2a8c744462d2bcbee1a02083
Instruction ID: 6c8c5c071c0c07982ef90e7af554f4baa5579b287b487f285af8563a2de8f6f7
Opcode Fuzzy Hash: 4f0cc817fc3f1f4c7cf9c46464750f43a674e38b2a8c744462d2bcbee1a02083
Instruction Fuzzy Hash: 7CF039745083418FC308EF28C491656BBF0AB8C704F01992EE8AACB350CBB4A948CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC1A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8835c2ce0abb64ea34aff0132fa94b6aaee1d3eaa2be47e7d0d8520fd193eb2
Instruction ID: 9b37afa60cf7da3ef89e7435e5aa8ee2e4d6d891c250b8a819286ded8e7de450
Opcode Fuzzy Hash: d8835c2ce0abb64ea34aff0132fa94b6aaee1d3eaa2be47e7d0d8520fd193eb2
Instruction Fuzzy Hash: 2AD0222558E2C04BC70A4E108AA20F07F798A43160F0F70EBC8C2CB983D828C0878756

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAA6 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe70a86a36de4bc9a188243c5e4e1c5a30d4a3bfc9f97628812bf9a81bacc7c1
Instruction ID: eee595b538399cdefdf825662f1d57b26ba111c3747142b8661fd16535be2cbd
Opcode Fuzzy Hash: fe70a86a36de4bc9a188243c5e4e1c5a30d4a3bfc9f97628812bf9a81bacc7c1
Instruction Fuzzy Hash: A4D0C978A0A2108FC304CF54D840729B3B1F78A354F12B424DA85A3356C771AC008F8C

Uniqueness

Uniqueness Score: -1.00%

Function 00414BA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbaf644f6a35b20725730ef8126352bb8ae1b316f0c3e1e897c2455391bf534b
Instruction ID: d805e8a1ec0a504a5ac41495e5e17a18a785d6a1986fe05ec29877d7d23711fc
Opcode Fuzzy Hash: bbaf644f6a35b20725730ef8126352bb8ae1b316f0c3e1e897c2455391bf534b
Instruction Fuzzy Hash: 5BC08CA4D8424087D50CCF10BD42471623CA21320CF143038D40AF3282C924D026860D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F040 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 273COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0041F10B
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0041F139

Strings

'U,S, xrefs: 0041F14D
7I9W, xrefs: 0041F146
1m+k, xrefs: 0041F051
MO, xrefs: 0041F209
qrs, xrefs: 0041F21E

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: MO$'U,S$1m+k$7I9W$qrs
API String ID: 237503144-2665577931
Opcode ID: bd5b5dbf96ad3e24928385487b5925516d89059c076501fa0f3229168e0e50f9
Instruction ID: e906268d37b2dbc94cbf39d681b1a9dfd26ad2aa764896e512b7e08ca28bf428
Opcode Fuzzy Hash: bd5b5dbf96ad3e24928385487b5925516d89059c076501fa0f3229168e0e50f9
Instruction Fuzzy Hash: 41A12475100F408FD32ACF25C490BA7B7E5BB88704F554A2EC9A78BA91D774F54ACB84

Uniqueness

Uniqueness Score: -1.00%

Function 00429FCE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042A05C
GetSystemMetrics.USER32 ref: 0042A06D
DeleteObject.GDI32 ref: 0042A0CC
SelectObject.GDI32 ref: 0042A11D
SelectObject.GDI32 ref: 0042A1B1
DeleteObject.GDI32 ref: 0042A1EB

Strings

, xrefs: 0042A184

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 41364c15de16d32462eb69905484187cb185efdbcb6be1f17f6c8bdaa6a02d65
Instruction ID: 647db09b42c5dd83a634b8fcff5b1b4893a37ef93c7b7211c3f18515bf4bf6e9
Opcode Fuzzy Hash: 41364c15de16d32462eb69905484187cb185efdbcb6be1f17f6c8bdaa6a02d65
Instruction Fuzzy Hash: B691ABB4604B009FC350EF29D985A1ABBF0FF49304F11492DE99ACB360E735A858CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0041B240 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0041B374
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0041B3A5

Strings

^t, xrefs: 0041B286
FC, xrefs: 0041B294
y~, xrefs: 0041B28D

Memory Dump Source

Source File: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: FC$^t$y~
API String ID: 237503144-1521909807
Opcode ID: 33599a3e99cef9e31cb3607fed6f5d6e0bfc8af6c2711e3c1326e9d8c845a332
Instruction ID: 3c89800f3e7552f2c51a390e558992463cf30610e3972c858cf926446cec5557
Opcode Fuzzy Hash: 33599a3e99cef9e31cb3607fed6f5d6e0bfc8af6c2711e3c1326e9d8c845a332
Instruction Fuzzy Hash: 5D4101B5100B449BD334CF26C854B53BBF5FB85718F108A1DE9E64BB90D375B9058B91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8lvzqcMqGF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8lvzqcMqGF.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
8lvzqcMqGF.exe

Function 023B545D Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Function 023823FF Relevance: .2, Instructions: 235
COMMON

Function 02381CF0 Relevance: .2, Instructions: 193
COMMON

Function 02384773 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 02384778 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Function 023845F0 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Function 023845F8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 00435E60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 155
nativememoryCOMMON

Function 004329E6 Relevance: 6.2, APIs: 4, Instructions: 155
nativememoryCOMMON

Function 00433408 Relevance: 6.1, APIs: 4, Instructions: 123
nativememoryCOMMON

Function 00436230 Relevance: 3.1, APIs: 2, Instructions: 94
nativememoryCOMMON

Function 004335B2 Relevance: 3.1, APIs: 2, Instructions: 89
nativememoryCOMMON

Function 004144F0 Relevance: 3.1, APIs: 2, Instructions: 77
nativememoryCOMMON

Function 004331CB Relevance: 1.6, APIs: 1, Instructions: 53
nativeCOMMON

Function 00433161 Relevance: 1.5, APIs: 1, Instructions: 17
nativeCOMMON

Function 0043328A Relevance: 1.5, APIs: 1, Instructions: 16
nativeCOMMON

Function 00408E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Function 00434148 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89
memoryCOMMON

Function 00433047 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
libraryCOMMON

Function 004315FB Relevance: 1.5, APIs: 1, Instructions: 47
memoryCOMMON

Function 00434A80 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON