Edit tour

Windows Analysis Report
xXO3Bx1Gtv.exe

Overview

General Information

Sample name:	xXO3Bx1Gtv.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	4dc3d7a6e1bef7cabd6e5e6681f3640628887a6beea0e096416baff784df7a3b
Analysis ID:	1435952
MD5:	0df8abbbbc63aa2e171466a6cf93b172
SHA1:	fb8e1da97308f5466ce438222a0ea1c28efaaf01
SHA256:	4dc3d7a6e1bef7cabd6e5e6681f3640628887a6beea0e096416baff784df7a3b
Infos:

Detection

LummaC

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Detected potential crypto function

Entry point lies outside standard sections

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

xXO3Bx1Gtv.exe (PID: 5100 cmdline: "C:\Users\user\Desktop\xXO3Bx1Gtv.exe" MD5: 0DF8ABBBBC63AA2E171466A6CF93B172)

WerFault.exe (PID: 1816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 340 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["barbecueappledos.pw", "killredls.pw", "keewoolas.pw", "moskhoods.pw", "dayzilons.pw", "revivalsecularas.pw", "steycools.pw", "bloockflad.pw", "bookgames.pw"], "Build id": "KjGtqi--Zinfandel"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.binstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: barbecueappledos.pw	Avira URL Cloud: Label: malware
Source: keewoolas.pw	Avira URL Cloud: Label: malware
Source: bloockflad.pw	Avira URL Cloud: Label: malware
Source: revivalsecularas.pw	Avira URL Cloud: Label: malware
Source: killredls.pw	Avira URL Cloud: Label: malware
Source: steycools.pw	Avira URL Cloud: Label: malware
Source: bookgames.pw	Avira URL Cloud: Label: malware
Source: moskhoods.pw	Avira URL Cloud: Label: malware
Source: dayzilons.pw	Avira URL Cloud: Label: malware

Found malware configuration

Source: xXO3Bx1Gtv.exe

Malware Configuration Extractor: LummaC {"C2 url": ["barbecueappledos.pw", "killredls.pw", "keewoolas.pw", "moskhoods.pw", "dayzilons.pw", "revivalsecularas.pw", "steycools.pw", "bloockflad.pw", "bookgames.pw"], "Build id": "KjGtqi--Zinfandel"}

Multi AV Scanner detection for domain / URL

Source: barbecueappledos.pw	Virustotal: Detection: 11%	Perma Link
Source: keewoolas.pw	Virustotal: Detection: 15%	Perma Link
Source: revivalsecularas.pw	Virustotal: Detection: 15%	Perma Link
Source: moskhoods.pw	Virustotal: Detection: 16%	Perma Link
Source: steycools.pw	Virustotal: Detection: 14%	Perma Link
Source: killredls.pw	Virustotal: Detection: 15%	Perma Link
Source: dayzilons.pw	Virustotal: Detection: 12%	Perma Link
Source: bookgames.pw	Virustotal: Detection: 15%	Perma Link
Source: bloockflad.pw	Virustotal: Detection: 14%	Perma Link

Machine Learning detection for sample

Source: xXO3Bx1Gtv.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: xXO3Bx1Gtv.exe	String decryptor: barbecueappledos.pw
Source: xXO3Bx1Gtv.exe	String decryptor: killredls.pw
Source: xXO3Bx1Gtv.exe	String decryptor: keewoolas.pw
Source: xXO3Bx1Gtv.exe	String decryptor: moskhoods.pw
Source: xXO3Bx1Gtv.exe	String decryptor: dayzilons.pw
Source: xXO3Bx1Gtv.exe	String decryptor: revivalsecularas.pw
Source: xXO3Bx1Gtv.exe	String decryptor: steycools.pw
Source: xXO3Bx1Gtv.exe	String decryptor: bloockflad.pw
Source: xXO3Bx1Gtv.exe	String decryptor: bookgames.pw
Source: xXO3Bx1Gtv.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: xXO3Bx1Gtv.exe	String decryptor: TeslaBrowser/5.5
Source: xXO3Bx1Gtv.exe	String decryptor: - Screen Resoluton:
Source: xXO3Bx1Gtv.exe	String decryptor: - Physical Installed Memory:
Source: xXO3Bx1Gtv.exe	String decryptor: Workgroup: -
Source: xXO3Bx1Gtv.exe	String decryptor: KjGtqi--Zinfandel

Source: xXO3Bx1Gtv.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: barbecueappledos.pw
Source: Malware configuration extractor	URLs: killredls.pw
Source: Malware configuration extractor	URLs: keewoolas.pw
Source: Malware configuration extractor	URLs: moskhoods.pw
Source: Malware configuration extractor	URLs: dayzilons.pw
Source: Malware configuration extractor	URLs: revivalsecularas.pw
Source: Malware configuration extractor	URLs: steycools.pw
Source: Malware configuration extractor	URLs: bloockflad.pw
Source: Malware configuration extractor	URLs: bookgames.pw

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0041C04D	0_2_0041C04D
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00451804	0_2_00451804
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_004188AD	0_2_004188AD
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00428172	0_2_00428172
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0041D97A	0_2_0041D97A
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_004272D8	0_2_004272D8
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00409B60	0_2_00409B60
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0040F3C4	0_2_0040F3C4
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0041DB99	0_2_0041DB99
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00404BAE	0_2_00404BAE
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0044A439	0_2_0044A439
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0044DDD0	0_2_0044DDD0
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0040C5DC	0_2_0040C5DC
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0040CF58	0_2_0040CF58
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0040DF6A	0_2_0040DF6A
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00413777	0_2_00413777
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0041BF07	0_2_0041BF07
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00418F19	0_2_00418F19

Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 340

Source: xXO3Bx1Gtv.exe, 00000000.00000000.1632468259.00000000007D7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQvConnect32.EXEZ vs xXO3Bx1Gtv.exe
Source: xXO3Bx1Gtv.exe	Binary or memory string: OriginalFilenameQvConnect32.EXEZ vs xXO3Bx1Gtv.exe

Source: xXO3Bx1Gtv.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5100

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1c1f0839-a889-4070-9656-41b1016a66bb

Jump to behavior

Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xXO3Bx1Gtv.exe "C:\Users\user\Desktop\xXO3Bx1Gtv.exe"
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 340

Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Section loaded: wininet.dll	Jump to behavior

Source: xXO3Bx1Gtv.exe

Static file information: File size 4132864 > 1048576

Source: xXO3Bx1Gtv.exe

Static PE information: Raw size of ./PING/2 is bigger than: 0x100000 < 0x262000

Source: initial sample

Static PE information: section where entry point is pointing to: ./PING/2

Source: xXO3Bx1Gtv.exe

Static PE information: real checksum: 0x284eca should be: 0x3f6de3

Source: xXO3Bx1Gtv.exe	Static PE information: section name: ./PING/0
Source: xXO3Bx1Gtv.exe	Static PE information: section name: ./PING/1
Source: xXO3Bx1Gtv.exe	Static PE information: section name: ./PING/2

Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00412B0A push ebx; retf 0004h	0_2_00412B0D
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00776574 push 0F370C96h; mov dword ptr [esp], esi	0_2_0077657C
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00401DCF push eax; mov dword ptr [esp], 00000000h	0_2_00401DD4
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_004686B1 push ecx; ret	0_2_004686C4
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00415F5D push eax; ret	0_2_00415F5E

Source: xXO3Bx1Gtv.exe	Static PE information: section name: .text entropy: 6.8060853503210135
Source: xXO3Bx1Gtv.exe	Static PE information: section name: ./PING/0 entropy: 7.837674875091487

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_00465ADF mov eax, dword ptr fs:[00000030h]		0_2_00465ADF
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe	Code function: 0_2_0045BEE6 mov ecx, dword ptr fs:[00000030h]		0_2_0045BEE6

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: barbecueappledos.pw
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: killredls.pw
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: keewoolas.pw
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: moskhoods.pw
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: dayzilons.pw
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: revivalsecularas.pw
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: steycools.pw
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: bloockflad.pw
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: bookgames.pw

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Software Packing	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xXO3Bx1Gtv.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
barbecueappledos.pw	100%	Avira URL Cloud	malware
keewoolas.pw	100%	Avira URL Cloud	malware
bloockflad.pw	100%	Avira URL Cloud	malware
revivalsecularas.pw	100%	Avira URL Cloud	malware
killredls.pw	100%	Avira URL Cloud	malware
steycools.pw	100%	Avira URL Cloud	malware
bookgames.pw	100%	Avira URL Cloud	malware
moskhoods.pw	100%	Avira URL Cloud	malware
barbecueappledos.pw	12%	Virustotal		Browse
keewoolas.pw	15%	Virustotal		Browse
dayzilons.pw	100%	Avira URL Cloud	malware
revivalsecularas.pw	15%	Virustotal		Browse
moskhoods.pw	16%	Virustotal		Browse
steycools.pw	14%	Virustotal		Browse
killredls.pw	15%	Virustotal		Browse
dayzilons.pw	13%	Virustotal		Browse
bookgames.pw	15%	Virustotal		Browse
bloockflad.pw	14%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
keewoolas.pw	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
revivalsecularas.pw	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
killredls.pw	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
bloockflad.pw	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
barbecueappledos.pw	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
steycools.pw	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
bookgames.pw	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
moskhoods.pw	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
dayzilons.pw	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435952
Start date and time:	2024-05-03 13:48:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xXO3Bx1Gtv.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	4dc3d7a6e1bef7cabd6e5e6681f3640628887a6beea0e096416baff784df7a3b
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 27

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target xXO3Bx1Gtv.exe, PID 5100 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
13:49:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xXO3Bx1Gtv.exe_b9154763bcedd46a6db4586a931bedddd56ff80_f1e767b5_e85d00cd-1196-428b-9568-1792ead1eaee\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7627986015193194
Encrypted:	false
SSDEEP:	96:hQFICNgcXOqC5Ls3lc1fZfrQXIDcQ4c6XcENcw3Imf/+HbHg/8BRTf3o8Fa9EUR0:S7XO/5La02T3Rkj2qzuiFGZ24IO87B
MD5:	58B74074FCAEC10B932AF6125D8D9650
SHA1:	DBEC291617D0FAA9B85147ADE9A242A4BDD5BE33
SHA-256:	937256832C5878D16F220884D6EC742CA45E7CE07DFBC55FD2100D63BA90150E
SHA-512:	B25C9B667C2FD5818F8C24943E0A06F0B762CADF274C9C15111881802A58913B5B2E70BBC4E59190800DD6A94DDC80CFBA32083AED3C4A1E5FAF07A4C57416F7
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.2.1.0.5.5.3.3.5.0.2.6.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.2.1.0.5.5.6.5.0.6.5.3.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.5.d.0.0.c.d.-.1.1.9.6.-.4.2.8.b.-.9.5.6.8.-.1.7.9.2.e.a.d.1.e.a.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.8.7.7.4.3.9.-.6.7.6.b.-.4.3.0.d.-.b.2.a.e.-.9.3.4.7.b.5.b.a.f.2.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.x.X.O.3.B.x.1.G.t.v...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.Q.v.C.o.n.n.e.c.t.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.e.c.-.0.0.0.1.-.0.0.1.4.-.a.5.8.1.-.b.1.e.a.4.f.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.8.9.f.1.2.0.1.9.2.f.2.4.c.2.3.c.0.9.1.9.e.c.9.0.5.3.6.6.5.a.f.0.0.0.0.0.9.0.4.!.0.0.0.0.f.b.8.e.1.d.a.9.7.3.0.8.f.5.4.6.6.c.e.4.3.8.2.2.2.a.0.e.a.1.c.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C06.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri May 3 11:49:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1073042
Entropy (8bit):	0.9074942508144229
Encrypted:	false
SSDEEP:	1536:OwMYi2VETOCN06ui2aOC26zGUp6lMZ3afKeyzl3yY/2wVI9q2ocA9MQtPrzuQ:vEJQUSMpaieyP2kI9GMQBrzuQ
MD5:	2903D2E6E9BCA75BB0411BD739553596
SHA1:	ABCEEECFDE4A619AF688DDBB2F5499320E693EB5
SHA-256:	12C5769F8ADE2F606D9036259B5AAE5F9B02987D84BF48F6B8DCB4BC641F3E23
SHA-512:	3B2A21EE59AA15942DB16C15D76D00AF24B2C3896057A3FFE31B143891422D82CEDD210B81E3A6A8F6EAB801E245A56878D01754CFFACF4B715EEFFDA3BB9B4F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......9.4f........................L................!..........T.......8...........T................Q......................................................................................................eJ......l.......GenuineIntel............T...........8.4f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26D4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	3.700002733964674
Encrypted:	false
SSDEEP:	192:R6l7wVeJnB6J6Y95SU98kgmfOJSpDT89bKusfJOm:R6lXJB6J6YzSU98kgmfO1KtfZ
MD5:	191BCA46DEBE3D5BCE7CD9F8F4A5A099
SHA1:	B630488094131AABB8B0CF01EBD91C7B7709B3C2
SHA-256:	3109DDBC4C26FBCE854F51D9C744233FAD1867F7595C718AB3847485E1CA6987
SHA-512:	0934F5E93C302AB51778F844000E4AC4FB6B44D6C1E5AFBAC931AE501B02DF437CEEA03A6463BEB83167BD84B15111AB5ECEB30841CC8C78D1D05820801A9672
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26F5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.4934966466244175
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg77aI9dKWpW8VYKyYm8M4JQ3FcVEM6FBy9+q8RmvoMzhEULTNd:uIjffI7nr7VJJbf9zzh1LTNd
MD5:	D52E745AC3C2C61FDDC9EC1BA4CA2659
SHA1:	33B80A501EB0904D89F5335DAEE11FA606F189F7
SHA-256:	86EEC3336913A723CB382838BB13BFA3EAE812B8E5061A5C0B43E68D71EF6888
SHA-512:	A32637D14A1351702C10F840CB3B4BC130B001C9354ECBC6616E350BAE35E3353DCF6F92AEBB20CE7FE862BA5A2843CC35F840B37CCF21DCC7BE164874F871CD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306891" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466072700678023
Encrypted:	false
SSDEEP:	6144:5IXfpi67eLPU9skLmb0b4oWSPKaJG8nAgejZMMhA2gX4WABl0uNFdwBCswSbP:KXD94oWlLZMM6YFHD+P
MD5:	7775D04E7A40734FF1A1187600EB2C9C
SHA1:	3D87BE709DA0BF527E9DCA7E3D7184DB768A0D14
SHA-256:	DF2B0046452AF67D1E740257DE0F491FF156BA0F1058A50DCC212DF536E4762B
SHA-512:	9D7C8D2DFB8CE958E7177FE0F7E69D74A99A487F0EDEF07B6935E73BBBB26063C4566C238323992CD4AFA5C856EC34AC8EA363CA8C57988A19FB74968826DE12
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.8..O................................................................................................................................................................................................................................................................................................................................................?..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.821181029934212
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xXO3Bx1Gtv.exe
File size:	4'132'864 bytes
MD5:	0df8abbbbc63aa2e171466a6cf93b172
SHA1:	fb8e1da97308f5466ce438222a0ea1c28efaaf01
SHA256:	4dc3d7a6e1bef7cabd6e5e6681f3640628887a6beea0e096416baff784df7a3b
SHA512:	ea42a729b56ba8063a29d97bcbcc0cbbc8428e939aae3fa483e605551525dbf66a8c8ca1e8ea3f0ddde68d561c8babe8168d376acbe43b22f37d80d18e8309e1
SSDEEP:	98304:D3dhinxWxbC7HKMKI1gnwXrPljNaliok+PPxJ2U18b/Db1esOD:D2ou7KFnwbljNalioBOU18b/Ne3
TLSH:	A71612113DC120F8D8A635B002A3EE3E75B47E3685358CCBB7D4BE6BD932650763526A
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Oe.................(..........~T*...........@...........................?......N(.....................................\|-<....

File Icon


Icon Hash:	01931b3979490c1d

Static PE Info

General

Entrypoint:	0x6a547e
Entrypoint Section:	./PING/2
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x654F9392 [Sat Nov 11 14:45:38 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	575ffd2062645b048aa6c5e951bbd11d

Entrypoint Preview

Instruction
push 2D0C8E14h
pushfd
or byte ptr [esp+04h], 0000003Fh
neg dword ptr [esp+04h]
cmp dword ptr [esp+04h], 062D8635h
mov dword ptr [esp+04h], 8B0A1BD6h
push dword ptr [esp+00h]
popfd
lea esp, dword ptr [esp+04h]
call 00007FAA7C88B97Ch
sbb dword ptr [ecx], edx
pop ss
call far 7039h : D09C4902h
daa
jmp 00007FAA68252167h
shr eax, FFFFFF87h
imul ecx, edx, 0181EC63h
or cl, bh
loop 00007FAA7C80D7F4h
sbb dword ptr [ecx+ecx*4+41h], eax
test eax, C34A9BB7h
mov al, byte ptr [BA6634C8h]
jp 00007FAA7C80D84Bh
js 00007FAA7C80D7DDh
daa
push ebp
add ah, byte ptr [edi]
test al, 42h
inc esi
push esi
sbb esi, ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c2d7c	0xdc	./PING/2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d7000	0x1980c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3d6300	0xc0	./PING/2
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x174000	0x274	./PING/1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x73000	0x73000	4acee1c5db002bc1f5779666023290ea	False	0.5895316745923913	data	6.8060853503210135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x74000	0xd000	0xd000	cf7feb91e82e5723749347eb2a641226	False	0.55859375	data	5.748204833083643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x81000	0x5000	0x5000	8ce4a8c6d4df0cdc15c2df928098fd41	False	0.22451171875	data	4.081107640210269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
./PING/0	0x86000	0xee000	0xee000	832ec266376e658d4cc6625e16acddc6	False	0.9460551798844538	data	7.837674875091487	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
./PING/1	0x174000	0x1000	0x1000	bef779488f50c62a09b12ae4eba2b7b9	False	0.13671875	data	1.4245860605440923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
./PING/2	0x175000	0x262000	0x262000	2e10a4226f453827bdd77de0a9e484fe	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3d7000	0x1a000	0x1a000	f53d22ac46de32c3980d569206467cb0	False	0.6795560396634616	data	6.5508447870931015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x3ed3b8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x3ed4ec	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x3ed5a0	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0x3ed6d4	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0x3ed808	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x3ed93c	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x3eda70	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0x3edba4	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x3edcd8	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x3ede0c	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0x3edf40	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x3ee074	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0x3ee1a8	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x3ee2dc	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0x3ee410	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x3ee544	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0x3ee678	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x3ee730	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0x3d7bf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.8209219858156028
RT_ICON	0x3d8060	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.5229831144465291
RT_ICON	0x3d9108	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.42489626556016596
RT_ICON	0x3db6b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.3771846953235711
RT_ICON	0x3df8d8	0xd20b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9955366275501665
RT_DIALOG	0x3ee874	0x138	data	English	United States	0.5833333333333334
RT_DIALOG	0x3ee9ac	0x106	data	English	United States	0.648854961832061
RT_DIALOG	0x3eeab4	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x3eeb9c	0x34	data	English	United States	0.9038461538461539
RT_STRING	0x3eebd0	0x46	data	English	United States	0.6571428571428571
RT_STRING	0x3eec18	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x3eec9c	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x3eecc8	0x184	data	English	United States	0.48711340206185566
RT_STRING	0x3eee4c	0x4ee	data	English	United States	0.375594294770206
RT_STRING	0x3ef33c	0x264	data	English	United States	0.3333333333333333
RT_STRING	0x3ef5a0	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0x3ef87c	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0x3ef908	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x3ef9b4	0xde	data	English	United States	0.536036036036036
RT_STRING	0x3efa94	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0x3eff3c	0x228	data	English	United States	0.4003623188405797
RT_STRING	0x3f0164	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0x3f0190	0x53e	data	English	United States	0.2965722801788376
RT_GROUP_CURSOR	0x3f06d0	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	0.9705882352941176
RT_GROUP_CURSOR	0x3f06f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f0708	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f071c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f0730	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f0744	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f0758	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f076c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f0780	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f0794	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f07a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f07bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f07d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f07e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x3f07f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x3ecae4	0x4c	data	English	United States	0.7631578947368421
RT_VERSION	0x3ecb30	0x56c	data	English	United States	0.3854466858789625
RT_MANIFEST	0x3ed09c	0x31c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (736), with CRLF line terminators	English	United States	0.5238693467336684

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateProcessW, CreateToolhelp32Snapshot, DecodePointer, DeleteCriticalSection, DeleteFileW, EncodePointer, EnterCriticalSection, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExA, GetComputerNameW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDriveTypeW, GetEnvironmentStringsW, GetFileInformationByHandle, GetFileSizeEx, GetFileType, GetFullPathNameW, GetLastError, GetLogicalDrives, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultLangID, GetSystemDefaultUILanguage, GetSystemTimeAsFileTime, GetTimeZoneInformation, GetUserDefaultLangID, GetUserDefaultUILanguage, GetVolumeInformationW, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, MultiByteToWideChar, PeekNamedPipe, Process32FirstW, Process32NextW, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetFileTime, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TzSpecificLocalTimeToSystemTime, UnhandledExceptionFilter, WideCharToMultiByte, WinExec, WriteConsoleW, WriteFile, lstrcatW, lstrcmpW, lstrcmpiW, lstrlenW
USER32.dll	EnumDisplayDevicesA, GetDC, GetDesktopWindow, GetSystemMetrics, ReleaseDC, SystemParametersInfoW, wsprintfW
ADVAPI32.dll	GetCurrentHwProfileW, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegQueryValueExW
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCW, DeleteDC, DeleteObject, GetDIBits, GetObjectW, SelectObject
SHLWAPI.dll	PathFileExistsW
WINHTTP.dll	WinHttpCloseHandle, WinHttpConnect, WinHttpCrackUrl, WinHttpOpen, WinHttpOpenRequest, WinHttpQueryDataAvailable, WinHttpReadData, WinHttpReceiveResponse, WinHttpSendRequest
IPHLPAPI.DLL	GetAdaptersInfo
WININET.dll	HttpAddRequestHeadersA, InternetQueryDataAvailable, InternetReadFile
CRYPT32.dll	CryptStringToBinaryA
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: xXO3Bx1Gtv.exePID: 5100, Parent PID: 2580

General

Target ID:	0
Start time:	13:49:12
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\xXO3Bx1Gtv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xXO3Bx1Gtv.exe"
Imagebase:	0x400000
File size:	4'132'864 bytes
MD5 hash:	0DF8ABBBBC63AA2E171466A6CF93B172
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 1816, Parent PID: 5100

General

Target ID:	3
Start time:	13:49:13
Start date:	03/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 340
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: xXO3Bx1Gtv.exePID: 5100, Parent PID: 2580COMMON

Non-executed Functions

Function 00404BAE Relevance: 50.3, APIs: 2, Strings: 26, Instructions: 1298COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00406089
_strlen.LIBCMT ref: 00406097

Strings

4gQ$, xrefs: 00404EF3
Tr;, xrefs: 00405249
f~], xrefs: 00405B29
c=Z:, xrefs: 00404D2F
Lz5 , xrefs: 00404264
PB], xrefs: 00404FAA
I+O, xrefs: 00404C57
:, xrefs: 00404706
!>{y, xrefs: 00405426
M{5/, xrefs: 00404354
>{y, xrefs: 00404FE9
gFD0, xrefs: 0040436B
A, xrefs: 00404F76
fFD0, xrefs: 00404134
A, xrefs: 00405864
A, xrefs: 0040537A
L, xrefs: 0040492F
:}, xrefs: 00405431
:}, xrefs: 00404BD9
J+O, xrefs: 00404C83
d=Z:, xrefs: 00405907
OB], xrefs: 00404C6D
J+O, xrefs: 004055F8
d=Z:, xrefs: 0040523E
._Z, xrefs: 00405C95
f~], xrefs: 00404FB5

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID: _strlen
String ID: >{y$!>{y$._Z$4gQ$$:$I+O$J+O$J+O$L$Lz5 $M{5/$OB]$PB]$c=Z:$d=Z:$d=Z:$fFD0$f~]$f~]$gFD0$Tr;$A$A$A$:}$:}
API String ID: 4218353326-589277786
Opcode ID: 794fcb9d18ff504b5511c2f722bcd00550631823b52934e1da313babfb5f4acd
Instruction ID: 5d3809e6dfe8f705cd5332ef1f326025e6f1fdb557f6513615b3ca46570c5a3b
Opcode Fuzzy Hash: 794fcb9d18ff504b5511c2f722bcd00550631823b52934e1da313babfb5f4acd
Instruction Fuzzy Hash: 3DB2F8B1D002099BDF249B98DC426BF7AB4EB54300F14457BE506FB3E1E3789A519F8A

Uniqueness

Uniqueness Score: -1.00%

Function 00409B60 Relevance: 16.1, Strings: 11, Instructions: 2333COMMON

Download Yara Rule

Strings

`, xrefs: 0040C0C4
d}W, xrefs: 00409B8B
bF=, xrefs: 0040ADB9
d}W, xrefs: 0040A905
#dC4, xrefs: 0040A362
PE@, xrefs: 00409B6C
^&-, xrefs: 0040A804
"dC4, xrefs: 0040A357
bF=, xrefs: 0040A77B
^&-, xrefs: 0040B353
qxBK, xrefs: 0040A6D6

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: "dC4$#dC4$PE@$^&-$^&-$`$qxBK$bF=$bF=$d}W$d}W
API String ID: 0-1324474951
Opcode ID: 1cd2f1f26d43312099fa83008184cc02e2ce570a55ef3166561210e93163b009
Instruction ID: 9ae1ee014539eb229e6f667b79c2468e21227092eb00178d6940b0e322408a29
Opcode Fuzzy Hash: 1cd2f1f26d43312099fa83008184cc02e2ce570a55ef3166561210e93163b009
Instruction Fuzzy Hash: 9E13C3B0E00219CBDF188BA8D8D167E76B4EB54314F24457BE916FB3D1D3789E418B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5DC Relevance: 11.8, Strings: 9, Instructions: 567COMMON

Download Yara Rule

Strings

O/, xrefs: 0040CE9F
2Bd, xrefs: 0040C920
v?, xrefs: 0040CB34
O/, xrefs: 0040CD01
>tWA, xrefs: 0040C617
?tWA, xrefs: 0040CED5
u?, xrefs: 0040C7E3
?tWA, xrefs: 0040C830
v?, xrefs: 0040C9A7

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: 2Bd$>tWA$?tWA$?tWA$u?$v?$v?$O/$O/
API String ID: 0-3734855115
Opcode ID: 12677df740d71dc0350d77574daf64c628753cc828b76a092f9e037ff7120699
Instruction ID: 0dc2f336648daf34a222a055cc824c407d3c3b8f318190c973e7a4f95da02ae3
Opcode Fuzzy Hash: 12677df740d71dc0350d77574daf64c628753cc828b76a092f9e037ff7120699
Instruction Fuzzy Hash: 2F228471504705CBC7349F18C5C162AB6E1AB58700B345F3FE5DAFABE0DA3AE8419B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0044A439 Relevance: 10.6, Strings: 8, Instructions: 632COMMON

Download Yara Rule

Strings

8s, xrefs: 0044A936
K{, xrefs: 0044AB52
K{, xrefs: 0044ADF1
7s, xrefs: 0044A579
J{, xrefs: 0044A788
K{, xrefs: 0044AC7F
8s, xrefs: 0044A766
K{, xrefs: 0044AE2B

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: 7s$8s$8s$J{$K{$K{$K{$K{
API String ID: 0-1859021670
Opcode ID: bc6f48e4497b2158dd54ef4888717aa15793687addcf9017ae160e447d336c12
Instruction ID: 1a63d00c76e43a1dda4bc9e17c07dc65e1e607faf217156504844b5eb0150d01
Opcode Fuzzy Hash: bc6f48e4497b2158dd54ef4888717aa15793687addcf9017ae160e447d336c12
Instruction Fuzzy Hash: 7932D7B19883018FEB248F18C59567EB7E0EB94310F64891FF199CB350D67CE8A59B4B

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF6A Relevance: 9.5, Strings: 6, Instructions: 1975COMMON

Download Yara Rule

Strings

vmz, xrefs: 0040F0A8
vmz, xrefs: 0040EF28
vmz, xrefs: 0040F0CB
vmz, xrefs: 0040EFA9
vmz, xrefs: 0040EF86
vmz, xrefs: 0040EF2F

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: vmz$vmz$vmz$vmz$vmz$vmz
API String ID: 0-2631656845
Opcode ID: 1afdaaae3841cfea759a3e029d5645fa2e01477f47c6c5e14a5a5b40943efff7
Instruction ID: 814cfd6e617f88223a1c428d37f449d9079544bee563000e8d4b46818cfec7de
Opcode Fuzzy Hash: 1afdaaae3841cfea759a3e029d5645fa2e01477f47c6c5e14a5a5b40943efff7
Instruction Fuzzy Hash: 43D27FB7B893144BD308CE59EC9129AF2D3ABD4624F1F943DE889D3301EE79D9074689

Uniqueness

Uniqueness Score: -1.00%

Function 00413777 Relevance: 9.4, Strings: 6, Instructions: 1917COMMON

Download Yara Rule

Strings

#dC4, xrefs: 004142BF
qxBK, xrefs: 00414606
d}W, xrefs: 00414471
d}W, xrefs: 00413933
d}W, xrefs: 00414803
#dC4, xrefs: 00413D28

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: #dC4$#dC4$qxBK$d}W$d}W$d}W
API String ID: 0-4235130334
Opcode ID: 213f6a85996d746e2b968655a41a64ecb8025b25bfe4d555a7066630e50e7e69
Instruction ID: 676a64121991c4d043dde5ef73355aa9aafc83cfbe13ce7ee21df49902576f4b
Opcode Fuzzy Hash: 213f6a85996d746e2b968655a41a64ecb8025b25bfe4d555a7066630e50e7e69
Instruction Fuzzy Hash: CFF205F5D00219EBDF249F5888816FEBEB5AB54311F24451BE519FB390D3788AC18B8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3C4 Relevance: 8.3, Strings: 6, Instructions: 821COMMON

Download Yara Rule

Strings

K{, xrefs: 0040F582
K{, xrefs: 0040FEED
K{, xrefs: 0040FB72
8s, xrefs: 0040FC38
J{, xrefs: 0040F666
8s, xrefs: 0040F61F

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: 8s$8s$J{$K{$K{$K{
API String ID: 0-1922912580
Opcode ID: 28a625cea988f21dafa543ac379e7c88b6ccad5ecaccd8811b4fc30d3e5b1ccc
Instruction ID: 4846a7e02c7e9f52c1688249f16107f52cc6d127d9912ed0093cada6fbdb1a7f
Opcode Fuzzy Hash: 28a625cea988f21dafa543ac379e7c88b6ccad5ecaccd8811b4fc30d3e5b1ccc
Instruction Fuzzy Hash: A75229B1D002099BDF349B54D9466BE7A70BB14310F24413BE915FB7D1E3BC8A85879B

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF58 Relevance: 5.7, Strings: 4, Instructions: 747COMMON

Download Yara Rule

Strings

u/6%, xrefs: 0040D19A
Y_5, xrefs: 0040D742
Y_5, xrefs: 0040D384
u/6%, xrefs: 0040D692

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: Y_5$Y_5$u/6%$u/6%
API String ID: 0-2251755769
Opcode ID: d35e182d859aa6e7b5caa54c68341d2ea7da014cdd19efd988d176db141d2a8d
Instruction ID: 2a9da9c3dff907e962c6715099ed85bfd0e059cfe0ca38c6a9c53710f79958e0
Opcode Fuzzy Hash: d35e182d859aa6e7b5caa54c68341d2ea7da014cdd19efd988d176db141d2a8d
Instruction Fuzzy Hash: D052C470E00209CBDF18DBA8C9856BEBBB1AB08700F25453BE515FB3D1D77899458B9B

Uniqueness

Uniqueness Score: -1.00%

Function 0041D97A Relevance: 4.4, Strings: 3, Instructions: 654COMMON

Download Yara Rule

Strings

8, xrefs: 0041E012
0, xrefs: 0041E01A
/, xrefs: 0041DA04

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: /$0$8
API String ID: 0-1466092297
Opcode ID: efdf8ca62e805c77d0302a2cf16a9820eda5af34bf0df2a868995c0e8097bff8
Instruction ID: f3cd5ad1a70834d29793be3a50564150e77230deba610e3d621bac35ea627184
Opcode Fuzzy Hash: efdf8ca62e805c77d0302a2cf16a9820eda5af34bf0df2a868995c0e8097bff8
Instruction Fuzzy Hash: 795235B1608340AFD714CF19C880BABBBE2BF88354F04892EF99987351D775D895CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB99 Relevance: 2.8, Strings: 2, Instructions: 315COMMON

Download Yara Rule

Strings

8, xrefs: 0041E012
0, xrefs: 0041E01A

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 74b43cad7cd9b1140e23dc688644fc080f1e11e15ea2bf48c5110ed617963227
Instruction ID: 8c2dd171849d87ae402aacb3ef3fdc173ce4e5145d55191c43ffbfa02a4b3064
Opcode Fuzzy Hash: 74b43cad7cd9b1140e23dc688644fc080f1e11e15ea2bf48c5110ed617963227
Instruction Fuzzy Hash: 41D15575608340AFCB15CF59C880AAFBBE2AFD9310F08891EF98987361D775C894CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00418F19 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e846ba28df3a411283894c7fa174d954b67003d694b2db4801835af3f3ff27
Instruction ID: d8c34c1f9918267475e0321b6939e561058c41834059ec72e27ca31b63c7b1d9
Opcode Fuzzy Hash: d7e846ba28df3a411283894c7fa174d954b67003d694b2db4801835af3f3ff27
Instruction Fuzzy Hash: A7626C316087418FC715DF19C490AAAB7E1FF89314F148A6EE4CA9B352D739EC86CB46

Uniqueness

Uniqueness Score: -1.00%

Function 004272D8 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4785ae7801f28f7af1e35b2df585575f371deddc840a981f57aaaf234f6eabb
Instruction ID: 94b8b7208b6eea89838c508b0059370ded6ae7f30709174ec5309e8e7f017635
Opcode Fuzzy Hash: e4785ae7801f28f7af1e35b2df585575f371deddc840a981f57aaaf234f6eabb
Instruction Fuzzy Hash: A412B0706087508FC324DF28D48066BBBE2FF95314F944E2ED5D687B81E739A845CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 004188AD Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49a8c4fe128f161760440432f42091b6af603cedbf268e3c924fd299385812d
Instruction ID: c0c9e0cf1b8e68f01baed7596c2c84ca2cdba20737da6f151c7232e58b07f366
Opcode Fuzzy Hash: a49a8c4fe128f161760440432f42091b6af603cedbf268e3c924fd299385812d
Instruction Fuzzy Hash: 86126D756087459FC714CF29C4806AAFBE1FF88314F148A2EE89987351DB78EC95CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00428172 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
Instruction ID: 5205922cf9ee8d9f830a0e4fcf4c1b84075503156c1ebedd50a4de31efcdf8aa
Opcode Fuzzy Hash: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
Instruction Fuzzy Hash: 02E101757097228FC714CF18D4C066AB3E2FB89710F95892EE9C587341DA39EC86CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00451804 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9fc56ef6744bb48b4c3c38ccdbab8253d53d42572c6af067c01885487255db
Instruction ID: e0e66d06acfe6e258b093be2519e273b446996cb62d5353273c87f522a2b4494
Opcode Fuzzy Hash: 4e9fc56ef6744bb48b4c3c38ccdbab8253d53d42572c6af067c01885487255db
Instruction Fuzzy Hash: C2C1DE70A006068FCB25DE68C49077BB7A2AB45316F14461FDC96973B3D738AC4ECB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF07 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65edce4011fe75c152e4a205463254ef5ba32a3b434c594998cae668442aa820
Instruction ID: b113fd61868e8aad634375436d7b03f3a17f9b9befcc20123a0a138df9498c0b
Opcode Fuzzy Hash: 65edce4011fe75c152e4a205463254ef5ba32a3b434c594998cae668442aa820
Instruction Fuzzy Hash: 91512C70648341AFD754CF19C8C469BBBE2FFC8354F14892DE9C987221D738A9868F56

Uniqueness

Uniqueness Score: -1.00%

Function 0044DDD0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 5ff6d5aac768553640ef89d29a0b298d9d40fe2281b5596c48f46ad3c9f4012f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 7B115BB7A0084283F6148A2DD8B45BBE395EBF632173C437BD1414F758D12AE9419508

Uniqueness

Uniqueness Score: -1.00%

Function 0041C04D Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e2ec432e3fa899e311f0d4bf150ecb1f06816256eb7586fb62822e78b002ac
Instruction ID: 39fcc71c70fff29e980620cb4905b6456aefe93da48e3323eb7e6c99a290b9e8
Opcode Fuzzy Hash: 56e2ec432e3fa899e311f0d4bf150ecb1f06816256eb7586fb62822e78b002ac
Instruction Fuzzy Hash: 58219375684701AFE760CE25CCC5BABB7E2EFC4300F25882DE98946611D778E8869F16

Uniqueness

Uniqueness Score: -1.00%

Function 00465ADF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4785b5092675942952e50f51bc592a151422f09839d74c7d7987d06ff1cfb068
Instruction ID: 7f87f58e43202f9dbdd5d17cc8b52db53614b1c77595f0e37707a5d43118d75e
Opcode Fuzzy Hash: 4785b5092675942952e50f51bc592a151422f09839d74c7d7987d06ff1cfb068
Instruction Fuzzy Hash: D8E08C72A11628EBCB14DB89C94498AF3FCEB49F04F1104ABB501E3200D274EE00CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0045BEE6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6263d25f185473e444c62492c9ca946ca6fcbb170d3b03874e94b62399f4701b
Instruction ID: 4627635b3231aa0e87d5e69636f9b2da7e22894808ceb0a1a3ecbc1a921b1ebd
Opcode Fuzzy Hash: 6263d25f185473e444c62492c9ca946ca6fcbb170d3b03874e94b62399f4701b
Instruction Fuzzy Hash: BEC08C35000D448ACE299D1086F13A63354E391783F90058EDA038B753DF9E9C8ADB45

Uniqueness

Uniqueness Score: -1.00%

Function 00408DB5 Relevance: 37.7, Strings: 30, Instructions: 243COMMON

Download Yara Rule

Strings

\u000f, xrefs: 004090BF
\u0016, xrefs: 00409113
\u001d, xrefs: 00409152
\u001b, xrefs: 00409140
\u0000, xrefs: 00408FEA
\u0014, xrefs: 004090FB
\u0018, xrefs: 00409125
\u0011, xrefs: 004090D7
\u0003, xrefs: 0040902F
\u0015, xrefs: 00409107
\u0017, xrefs: 0040911C
\u0019, xrefs: 0040912E
\u0012, xrefs: 004090E3
UDG, xrefs: 0040918D
\u0010, xrefs: 004090CB
~CG, xrefs: 004091AE
\u0007, xrefs: 0040905F
\u001e, xrefs: 0040915B
\u000b, xrefs: 0040908F
\u0013, xrefs: 004090EF
\u0006, xrefs: 00409053
\u0005, xrefs: 00409047
\u0002, xrefs: 00409023
\u001c, xrefs: 00409149
\u001f, xrefs: 00409164
\u0001, xrefs: 00409017
\u0004, xrefs: 0040903B
\u001a, xrefs: 00409137
RDG, xrefs: 0040917F
\u000e, xrefs: 004090B3

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: RDG$UDG$\u0000$\u0001$\u0002$\u0003$\u0004$\u0005$\u0006$\u0007$\u000b$\u000e$\u000f$\u0010$\u0011$\u0012$\u0013$\u0014$\u0015$\u0016$\u0017$\u0018$\u0019$\u001a$\u001b$\u001c$\u001d$\u001e$\u001f$~CG
API String ID: 0-1616629490
Opcode ID: b661657e60387a2b417b4ce597c6e72426497a9096c612e9857eece28fac1638
Instruction ID: da643803d9f054d67c8a4598d5ef905c0e4847a55d69c73e800997069ed3fbc8
Opcode Fuzzy Hash: b661657e60387a2b417b4ce597c6e72426497a9096c612e9857eece28fac1638
Instruction Fuzzy Hash: 3971732170855253EB18481A499417A9283E7C9315A75C93F88EFEFBCEDB3D8C4B624F

Uniqueness

Uniqueness Score: -1.00%

Function 00408F9C Relevance: 37.7, Strings: 30, Instructions: 163COMMON

Download Yara Rule

Strings

\u000f, xrefs: 004090BF
\u0016, xrefs: 00409113
\u001d, xrefs: 00409152
\u001b, xrefs: 00409140
\u0000, xrefs: 00408FEA
\u0014, xrefs: 004090FB
\u0018, xrefs: 00409125
\u0011, xrefs: 004090D7
\u0003, xrefs: 0040902F
\u0015, xrefs: 00409107
\u0017, xrefs: 0040911C
\u0019, xrefs: 0040912E
\u0012, xrefs: 004090E3
\u0010, xrefs: 004090CB
~CG, xrefs: 004091AE
\u0007, xrefs: 0040905F
\u001e, xrefs: 0040915B
\u000b, xrefs: 0040908F
\u0013, xrefs: 004090EF
\u0006, xrefs: 00409053
\u0005, xrefs: 00409047
\u0002, xrefs: 00409023
\u001c, xrefs: 00409149
\u001f, xrefs: 00409164
\u0001, xrefs: 00409017
\u0004, xrefs: 0040903B
~CG, xrefs: 00408FAC
\u001a, xrefs: 00409137
RDG, xrefs: 0040917F
\u000e, xrefs: 004090B3

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID: _strlen
String ID: RDG$\u0000$\u0001$\u0002$\u0003$\u0004$\u0005$\u0006$\u0007$\u000b$\u000e$\u000f$\u0010$\u0011$\u0012$\u0013$\u0014$\u0015$\u0016$\u0017$\u0018$\u0019$\u001a$\u001b$\u001c$\u001d$\u001e$\u001f$~CG$~CG
API String ID: 4218353326-1093896964
Opcode ID: 92a5daf4c030202617a3710e94bc8c88b02767ab8d9d58381f46ebd3cc8abb52
Instruction ID: 6b181d5586dadc95d50b7be9232f44eab00bf2f558148fb080e8d5cc10165189
Opcode Fuzzy Hash: 92a5daf4c030202617a3710e94bc8c88b02767ab8d9d58381f46ebd3cc8abb52
Instruction Fuzzy Hash: 6A419F21308152A3EB14485A099857A9287B7D4304674CC3F59AFEFBCEEB7C8C0B625F

Uniqueness

Uniqueness Score: -1.00%

Function 0040225B Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 391COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040247B

Strings

BCG, xrefs: 00402353
true, xrefs: 004023FF
null, xrefs: 00402289
[,]{: }, xrefs: 0040238E
BCG, xrefs: 0040263F
mCG, xrefs: 004026CE
%1.17g, xrefs: 004022D6
kCG, xrefs: 004024CC
BCG, xrefs: 004023CB
false, xrefs: 00402406
BCG, xrefs: 00402548

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID: _strlen
String ID: %1.17g$BCG$BCG$BCG$BCG$[,]{: }$false$kCG$mCG$null$true
API String ID: 4218353326-3495153165
Opcode ID: c05c931bb5904fad45b61dc592e633befda1343face2e9083cf1dd9c69c39443
Instruction ID: 3e6c3027b6cb029422fa86bedfb9045099184e97cfa2bf22ab3905086238fa14
Opcode Fuzzy Hash: c05c931bb5904fad45b61dc592e633befda1343face2e9083cf1dd9c69c39443
Instruction Fuzzy Hash: 46B1D2727042126BC701A9798E5862BA1D65FD4308F19893FEC5AE33D1FABEDC01825E

Uniqueness

Uniqueness Score: -1.00%

Function 00401F10 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040247B

Strings

BCG, xrefs: 00402353
null, xrefs: 00402289
mCG, xrefs: 004026CE
%1.17g, xrefs: 004022D6
,]{: }, xrefs: 00402522
kCG, xrefs: 004024CC
BCG, xrefs: 00402548

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID: _strlen
String ID: %1.17g$,]{: }$BCG$BCG$kCG$mCG$null
API String ID: 4218353326-649788014
Opcode ID: 56c1205ad8d13971891afb8da1dd074e06fdef83645ec72ebdccc6115e09c005
Instruction ID: cf9e310160fdbfee2f39e531065648e0fb275fee0c287c661a1c7380e378875e
Opcode Fuzzy Hash: 56c1205ad8d13971891afb8da1dd074e06fdef83645ec72ebdccc6115e09c005
Instruction Fuzzy Hash: 77B1EDB2B042115BD70066765E8A63F61DA9A94348F08443FED0AF73D2FABDDD01829F

Uniqueness

Uniqueness Score: -1.00%

Function 00425AB4 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 247COMMON

Download Yara Rule

APIs

_wctomb_s.LIBCMT ref: 00425EAE

Strings

SXQ, xrefs: 00425BCD
RXQ, xrefs: 00425BC2
*[, xrefs: 00425BD8
*[, xrefs: 00425ACE

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID: _wctomb_s
String ID: RXQ$SXQ$*[$*[
API String ID: 2865277502-682523798
Opcode ID: 5840aa146876ea4c3533823f37edeebc54f033845f5ea1b41a46b80ed5dc3808
Instruction ID: e225e6e02604ca249743332e38f7e562f38d4f17e491d65ad27427a622be7079
Opcode Fuzzy Hash: 5840aa146876ea4c3533823f37edeebc54f033845f5ea1b41a46b80ed5dc3808
Instruction Fuzzy Hash: 81817AB0745B28A7DB243718BDC663E7594AB10700FA5892FF145C93E0F2BECA854A4F

Uniqueness

Uniqueness Score: -1.00%

Function 00412FD8 Relevance: 5.4, Strings: 4, Instructions: 442COMMON

Download Yara Rule

Strings

1Bd, xrefs: 004130D6
2Bd, xrefs: 00413665
2Bd, xrefs: 00413218
v?, xrefs: 0041371B

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: 1Bd$2Bd$2Bd$v?
API String ID: 0-2387898446
Opcode ID: 6c1f02026cb3473c19bc16c1edc72fe3f9d4ef045a53b2ce126227c9656bd19f
Instruction ID: 0bec1263e9e74890287c492917e64c1498b3282183b8f6c61483c19dd5e6f1c7
Opcode Fuzzy Hash: 6c1f02026cb3473c19bc16c1edc72fe3f9d4ef045a53b2ce126227c9656bd19f
Instruction Fuzzy Hash: D8F117B190C301AFC7249F18C4815AEBEE0AB58745F14482FF489DB395D638CEC59B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 5.2, Strings: 4, Instructions: 250COMMON

Download Yara Rule

Strings

1Bd, xrefs: 004010C1
v?, xrefs: 00401046
v?, xrefs: 004012E8
2Bd, xrefs: 004011C8

Memory Dump Source

Source File: 00000000.00000002.1760031926.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1760017855.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760067861.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760093540.0000000000486000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760154905.0000000000574000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760167150.0000000000575000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1760306765.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xXO3Bx1Gtv.jbxd

Similarity

API ID:
String ID: 1Bd$2Bd$v?$v?
API String ID: 0-3836783068
Opcode ID: d189a21a89ebebfcc92cd6fe936fda9a21cb4e1e1c2abb84037056e414036459
Instruction ID: 403d4f7ca9f8282439483ec99260de99c8cd5df303c45e2ea85c42a292c27855
Opcode Fuzzy Hash: d189a21a89ebebfcc92cd6fe936fda9a21cb4e1e1c2abb84037056e414036459
Instruction Fuzzy Hash: 6E9160715082418AD7288F58C48453EB6F5AB84304F65897FE8D6EBBF0D73CC9829B5B

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xXO3Bx1Gtv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xXO3Bx1Gtv.exe_b9154763bcedd46a6db4586a931bedddd56ff80_f1e767b5_e85d00cd-1196-428b-9568-1792ead1eaee\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C06.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26D4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26F5.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
xXO3Bx1Gtv.exe